Date: Mon, 18 Sep 2006 16:42:45 -0400 From: Larry Baird <lab@gta.com> To: Joerg Pulz <Joerg.Pulz@frm2.tum.de> Cc: freebsd-net@freebsd.org, VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> Subject: Re: FAST_IPSEC NAT-T support Message-ID: <20060918164245.A98717@gta.com> In-Reply-To: <20060918210519.J978@hades.admin.frm2>; from Joerg.Pulz@frm2.tum.de on Mon, Sep 18, 2006 at 09:43:41PM %2B0200 References: <20060918180053.73854.qmail@gta.com> <20060918210519.J978@hades.admin.frm2>
next in thread | previous in thread | raw e-mail | index | archive | help
--RnlQjJ0d97Da+TV1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Mon, Sep 18, 2006 at 09:43:41PM +0200, Joerg Pulz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi,
>
> first of all, a big thanks to Yvan and Larry, and all others, for their
> work. IPSEC_NAT_T is working fine for me with either IPSEC or FAST_IPSEC
> with RELENG_6 as server and FAST_IPSEC with CURRENT (small modifications
> after patching where necessary) as client.
>
>
> Regarding the /sbin/setkey against ${LOCALBASE}/sbin/setkey (ipsec-tools
> version) discussion, i found a minor difference in the output between
> those two when using aes/rijndael encryption and executing "setkey -D".
> The FreeBSD base version of setkey outputs something like this:
> E: rijndael-cbc XXXXXXXX ...
> and the ipsec-tools version of setkey outputs this:
> E: 12 XXXXXXXX ...
>
> The difference comes out of libipsec/pfkey_dump.c .
> In the FreeBSD base version of this file we have this:
> #ifdef SADB_X_EALG_RIJNDAELCBC
> { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", },
> #endif
>
> and in the ipsec-tools version this:
> #ifdef SADB_X_EALG_AESCBC
> { SADB_X_EALG_AESCBC, "aes-cbc", },
> #endif
>
> Unfortunately, we have no definition for SADB_X_EALG_AESCBC in FreeBSD's
> pfkeyv2.h file. The definition for encryption algorithm number 12 in
> pfkeyv2.h is the following:
> #define SADB_X_EALG_RIJNDAELCBC 12
> #define SADB_X_EALG_AES 12
I have attached a slight different and in mind cleaner patch for this
problem. I initially thought the problem was with FreeBSD's pfkeyv2.h.
To be consistent it would seem that:
#define SADB_X_EALG_AES 12
should be
#define SADB_X_EALG_AESCBC 12
Looking at NetBSD, they have the same definition as FreeBSD. It would
seem that this problem exists for both FreebSD and NetBSD. For what its
worth, Linux uses SADB_X_EALG_AESCBC.
--
------------------------------------------------------------------------
Larry Baird | http://www.gta.com
Global Technology Associates, Inc. | Orlando, FL
Email: lab@gta.com | TEL 407-380-0220, FAX 407-380-6080
--RnlQjJ0d97Da+TV1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="aes.diff"
--- src/libipsec/pfkey_dump.c.orig Mon Sep 18 16:20:41 2006
+++ src/libipsec/pfkey_dump.c Mon Sep 18 16:22:17 2006
@@ -78,6 +78,9 @@
#define SADB_X_EALG_RC5CBC SADB_EALG_RC5CBC
#endif
#endif
+#if defined(SADB_X_EALG_AES) && ! defined(SADB_X_EALG_AESCBC)
+#define SADB_X_EALG_AESCBC SADB_X_EALG_AES
+#endif
#define GETMSGSTR(str, num) \
do { \
--- src/setkey/token.l.orig Mon Sep 18 16:20:55 2006
+++ src/setkey/token.l Mon Sep 18 16:22:33 2006
@@ -84,6 +84,9 @@
#ifndef SADB_X_EALG_AESCTR
#define SADB_X_EALG_AESCTR (-1)
#endif
+#if defined(SADB_X_EALG_AES) && ! defined(SADB_X_EALG_AESCBC)
+#define SADB_X_EALG_AESCBC SADB_X_EALG_AES
+#endif
%}
/* common section */
--RnlQjJ0d97Da+TV1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060918164245.A98717>