Date: Tue, 17 Feb 2009 11:21:20 -0800 From: Kurt Buff <kurt.buff@gmail.com> To: freebsd-net@freebsd.org Subject: Fwd: NATT patch and FreeBSD's setkey Message-ID: <a9f4a3860902171121w42ea4fbfte9bef2a99afad204@mail.gmail.com> In-Reply-To: <a9f4a3860902171120q531bd39fp96b9e85e9a4a8a73@mail.gmail.com> References: <85c4b1850902170448p7a59d50bt6bdaa89aa01c51d7@mail.gmail.com> <20090217143425.GA58591@zeninc.net> <20090217143409.J53478@maildrop.int.zabbadoz.net> <a9f4a3860902171120q531bd39fp96b9e85e9a4a8a73@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
My bad - didn't send to list. See below. ---------- Forwarded message ---------- From: Kurt Buff <kurt.buff@gmail.com> Date: Tue, Feb 17, 2009 at 11:20 AM Subject: Re: NATT patch and FreeBSD's setkey To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> On Tue, Feb 17, 2009 at 6:41 AM, Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net> wrote: > On Tue, 17 Feb 2009, VANHULLEBUS Yvan wrote: > > Hi, > >> If someone has a magic solution without drawbacks, please tell us ! > > I am not going to find my posting from a few years back but the > solution is to keep the kernel and libipsec (and setkey) in base in > sync and not install libipsec and setkey from the ipsec-tools port. > Done. > > That obviously means that people who patch their kernel need to patch > their user space as well but that should not be a problem as they > rebuild anyway and need to build ipsec-tools racoon etc. on their own > to use the new features as w/o changing the default options it doesn't > work for nat-t. > > That also allows other 3rd party utilities using libipsec to continue > to do so and use all "features" w/o needing another fork. > > > >>> Has anyone had any success using the patched FreeBSD along with racoon2. >> >> I just don't know what's the actual status of racoon2, but nat-t >> patchset is public and everyone can send changes if that helps >> interaction with other daemons (without breaking again the API if >> possible.....). > > We have about 3 months left to get that patch in for 8; ideally 6 > weeks. Can you update the nat-t patch in a way as discussed here > before so that the extra address is in etc. and we can move forward? > > I basically do not care if racoon from ipsec-tools is not going to > work for two weeks of HEAD or four as someone will quickly add a > conditional patch to the port for a __FreeBSD_version > 8xxxxx and > that can be removed once ipsec-tools properly detect the state of the > system. > > /bz > > -- > Bjoern A. Zeeb The greatest risk is not taking one. Forgive my ignorance, but is this the same patch required by' /usr/ports/security/ike - Shrew Soft IKE daemon and client tools'? Kurt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a9f4a3860902171121w42ea4fbfte9bef2a99afad204>