From owner-freebsd-net@FreeBSD.ORG Mon Sep 18 20:42:47 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 603DF16A403 for ; Mon, 18 Sep 2006 20:42:47 +0000 (UTC) (envelope-from lab@gta.com) Received: from gta.com (gta-edge-199-20.gta.com [199.120.225.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 7B0B643D70 for ; Mon, 18 Sep 2006 20:42:46 +0000 (GMT) (envelope-from lab@gta.com) Received: (qmail 4351 invoked by uid 1000); 18 Sep 2006 20:42:45 -0000 Date: Mon, 18 Sep 2006 16:42:45 -0400 From: Larry Baird To: Joerg Pulz Message-ID: <20060918164245.A98717@gta.com> References: <20060918180053.73854.qmail@gta.com> <20060918210519.J978@hades.admin.frm2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20060918210519.J978@hades.admin.frm2>; from Joerg.Pulz@frm2.tum.de on Mon, Sep 18, 2006 at 09:43:41PM +0200 Cc: freebsd-net@freebsd.org, VANHULLEBUS Yvan Subject: Re: FAST_IPSEC NAT-T support X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Sep 2006 20:42:47 -0000 --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Sep 18, 2006 at 09:43:41PM +0200, Joerg Pulz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hi, > > first of all, a big thanks to Yvan and Larry, and all others, for their > work. IPSEC_NAT_T is working fine for me with either IPSEC or FAST_IPSEC > with RELENG_6 as server and FAST_IPSEC with CURRENT (small modifications > after patching where necessary) as client. > > > Regarding the /sbin/setkey against ${LOCALBASE}/sbin/setkey (ipsec-tools > version) discussion, i found a minor difference in the output between > those two when using aes/rijndael encryption and executing "setkey -D". > The FreeBSD base version of setkey outputs something like this: > E: rijndael-cbc XXXXXXXX ... > and the ipsec-tools version of setkey outputs this: > E: 12 XXXXXXXX ... > > The difference comes out of libipsec/pfkey_dump.c . > In the FreeBSD base version of this file we have this: > #ifdef SADB_X_EALG_RIJNDAELCBC > { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", }, > #endif > > and in the ipsec-tools version this: > #ifdef SADB_X_EALG_AESCBC > { SADB_X_EALG_AESCBC, "aes-cbc", }, > #endif > > Unfortunately, we have no definition for SADB_X_EALG_AESCBC in FreeBSD's > pfkeyv2.h file. The definition for encryption algorithm number 12 in > pfkeyv2.h is the following: > #define SADB_X_EALG_RIJNDAELCBC 12 > #define SADB_X_EALG_AES 12 I have attached a slight different and in mind cleaner patch for this problem. I initially thought the problem was with FreeBSD's pfkeyv2.h. To be consistent it would seem that: #define SADB_X_EALG_AES 12 should be #define SADB_X_EALG_AESCBC 12 Looking at NetBSD, they have the same definition as FreeBSD. It would seem that this problem exists for both FreebSD and NetBSD. For what its worth, Linux uses SADB_X_EALG_AESCBC. -- ------------------------------------------------------------------------ Larry Baird | http://www.gta.com Global Technology Associates, Inc. | Orlando, FL Email: lab@gta.com | TEL 407-380-0220, FAX 407-380-6080 --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="aes.diff" --- src/libipsec/pfkey_dump.c.orig Mon Sep 18 16:20:41 2006 +++ src/libipsec/pfkey_dump.c Mon Sep 18 16:22:17 2006 @@ -78,6 +78,9 @@ #define SADB_X_EALG_RC5CBC SADB_EALG_RC5CBC #endif #endif +#if defined(SADB_X_EALG_AES) && ! defined(SADB_X_EALG_AESCBC) +#define SADB_X_EALG_AESCBC SADB_X_EALG_AES +#endif #define GETMSGSTR(str, num) \ do { \ --- src/setkey/token.l.orig Mon Sep 18 16:20:55 2006 +++ src/setkey/token.l Mon Sep 18 16:22:33 2006 @@ -84,6 +84,9 @@ #ifndef SADB_X_EALG_AESCTR #define SADB_X_EALG_AESCTR (-1) #endif +#if defined(SADB_X_EALG_AES) && ! defined(SADB_X_EALG_AESCBC) +#define SADB_X_EALG_AESCBC SADB_X_EALG_AES +#endif %} /* common section */ --RnlQjJ0d97Da+TV1--