From owner-freebsd-net@FreeBSD.ORG Tue Feb 17 19:44:44 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B97C11065672 for ; Tue, 17 Feb 2009 19:44:44 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.168]) by mx1.freebsd.org (Postfix) with ESMTP id 8D0888FC12 for ; Tue, 17 Feb 2009 19:44:44 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: by wf-out-1314.google.com with SMTP id 27so2831258wfd.7 for ; Tue, 17 Feb 2009 11:44:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=f27kbW56fIDvCtak0KdJqTVIfan2qdEziw7iVF+zwew=; b=n4vXH9VccwyGifEVzOc+RbPO7fUhHI462FD2uHrIzkcvOxHIxdA+bUAOlu59rRTSg9 gOu6KCONXfroT8SwHevWu0lOdXFynW2jNtLDnI8oS99r88+QOHPXd4xzXN4Hst29t8TW P5riFjes591q8GYZiOirfiOAAhJoBrbL9itTg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=MTkVmRRLXodQNYqBgKIUxJGl50XNEQfTY5xRkQNKGNQvMm8zBW6fqtsB4Hl2pge8gh WsbhRcJwISWOYZrArgVM2daEaGpBqJSoIqJ9T6vwY1H/jLXAcq21uZuiFFxsOQkKRgKf nvDyvfkB5FoeyjqNXP87zs7EawIDHgcGX16mk= MIME-Version: 1.0 Received: by 10.143.3.7 with SMTP id f7mr3110472wfi.92.1234898480867; Tue, 17 Feb 2009 11:21:20 -0800 (PST) In-Reply-To: References: <85c4b1850902170448p7a59d50bt6bdaa89aa01c51d7@mail.gmail.com> <20090217143425.GA58591@zeninc.net> <20090217143409.J53478@maildrop.int.zabbadoz.net> Date: Tue, 17 Feb 2009 11:21:20 -0800 Message-ID: From: Kurt Buff To: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Fwd: NATT patch and FreeBSD's setkey X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 19:44:45 -0000 My bad - didn't send to list. See below. ---------- Forwarded message ---------- From: Kurt Buff Date: Tue, Feb 17, 2009 at 11:20 AM Subject: Re: NATT patch and FreeBSD's setkey To: "Bjoern A. Zeeb" On Tue, Feb 17, 2009 at 6:41 AM, Bjoern A. Zeeb wrote: > On Tue, 17 Feb 2009, VANHULLEBUS Yvan wrote: > > Hi, > >> If someone has a magic solution without drawbacks, please tell us ! > > I am not going to find my posting from a few years back but the > solution is to keep the kernel and libipsec (and setkey) in base in > sync and not install libipsec and setkey from the ipsec-tools port. > Done. > > That obviously means that people who patch their kernel need to patch > their user space as well but that should not be a problem as they > rebuild anyway and need to build ipsec-tools racoon etc. on their own > to use the new features as w/o changing the default options it doesn't > work for nat-t. > > That also allows other 3rd party utilities using libipsec to continue > to do so and use all "features" w/o needing another fork. > > > >>> Has anyone had any success using the patched FreeBSD along with racoon2. >> >> I just don't know what's the actual status of racoon2, but nat-t >> patchset is public and everyone can send changes if that helps >> interaction with other daemons (without breaking again the API if >> possible.....). > > We have about 3 months left to get that patch in for 8; ideally 6 > weeks. Can you update the nat-t patch in a way as discussed here > before so that the extra address is in etc. and we can move forward? > > I basically do not care if racoon from ipsec-tools is not going to > work for two weeks of HEAD or four as someone will quickly add a > conditional patch to the port for a __FreeBSD_version > 8xxxxx and > that can be removed once ipsec-tools properly detect the state of the > system. > > /bz > > -- > Bjoern A. Zeeb The greatest risk is not taking one. Forgive my ignorance, but is this the same patch required by' /usr/ports/security/ike - Shrew Soft IKE daemon and client tools'? Kurt