From owner-freebsd-net@FreeBSD.ORG Wed Aug 26 21:30:08 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9617F106568C; Wed, 26 Aug 2009 21:30:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4F2188FC24; Wed, 26 Aug 2009 21:30:08 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id BE1E941C6FC; Wed, 26 Aug 2009 23:30:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id dW+ta1+Efi4i; Wed, 26 Aug 2009 23:30:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id D01DE41C6F2; Wed, 26 Aug 2009 23:30:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id EA8A34448E6; Wed, 26 Aug 2009 21:28:11 +0000 (UTC) Date: Wed, 26 Aug 2009 21:28:11 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: VANHULLEBUS Yvan In-Reply-To: <20090826204500.GB9228@zeninc.net> Message-ID: <20090826210423.H93661@maildrop.int.zabbadoz.net> References: <20090813154703.Y93661@maildrop.int.zabbadoz.net> <20090826204500.GB9228@zeninc.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: NAT-T patch for 7-STABLE X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Aug 2009 21:30:08 -0000 On Wed, 26 Aug 2009, VANHULLEBUS Yvan wrote: Hi, > On Thu, Aug 13, 2009 at 04:04:05PM +0000, Bjoern A. Zeeb wrote: >> Hi, > > Hi. > Sorry for the very late answer, but I wanted to work on the userland > part as soon as I had your patch, then I had an unexpected failure in > my internet access (still not completely resolved, hope you'll get > this mail). > > >> I just MFCed the UDP Control Block, which is a prerequisite for merging >> the NAT-T patch from HEAD (8) to 7-STABLE: >> http://svn.freebsd.org/viewvc/base?view=revision&revision=196192 >> >> I also merged back the NAT-T changes from FreeBSD 8/HEAD. This >> will allow us to provide the same API for tools for FreeBSD 7 (with >> patch) and stock FreeBSD 8.x and 9 (HEAD). > > Great ! > > With that, I could easilly start tests on kernel+userland. Fantastic; I had hoped that. > ipsec-tools HEAD is now expected to compile/work with that kernel API, > and I have a running tunnel with FreeBSD7+patchset+ipsec-tools HEAD as > the responder (with NAT-T used). > > More tests will come soon, but please all report any issue ! > > > Latest ipsec-tools snapshot will also compile and work (actually, this > is exactly the same as HEAD, except some typo fixes....) with that API. Yes, I could remove my private patches to make ipsec-tools HEAD compile on FreeBSD 8/9 or 7+patch after the latest update two days ago. For anyone brave enough to track the bleeding edge of all worlds, I have put together an initial start of a collection of things... The following is not for you if you: (1) don't know how to apply a patch to the kernel, recompile your kernel or wonder what I am talking about. (2) if you don't know freebsd ports creation and compiling bascis. You'll need change the makefile, touch internals, run a cvs checkout, ... (3) don't know how to not shoot yourself in the foot ----- my text template that I should streamline put on the wiki;) ------ If you are on FreeBSD 6 or earlier, you can stop reading here. In case you are on 7-STABLE before r196192 either update to latest 7-STABLE or take the patch from SVN r196192 or http://people.freebsd.org/~bz/20090730-01-mfc-r192649-udpcb.diff (which should be the same modulo the naming of the spare in the struct field "notyetmfced" vs. u_pspare). In case you are on 7-STABLE or applied the previous patch) you'll need this patch on top for NAT-T: http://people.freebsd.org/~bz/20090813-01-mfc-r194062-natt.diff . In case you are on a recent FreeBSD 8 or FreeBSD 9, you need no patches for the kernel. To build an ipsec-tools-devel CVS HEAD checkout port: apply the patch from .. to your ports tree http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/138139 and give the instructions from this one and below a try: http://people.freebsd.org/~bz/20090824-ipsec-tools.tar.gz (basically the cvs checkout and the tarball creation; I guess it's lacking a make makesum at the end) It may give you something usable. I am not trying the snapshot regularly and the port isn't ready to be used as a automatic port as you have to do it all by hand incl. updating PORTVERSION, the cvs checkout, creating the tarball, make makesum and all that. But at least for me it compiles the CVS checkout directly, with the port options from below, on a 8.x/9.x system, without the needs for doing any autocrap stuff manually before creating the src tarball. You may change the port options of course, I just cannot test all combinations to see if they work. If doing this on 7.x make sure to have the kernel patch(es) mentioned above applied upfront and have the headers installed correctly before you start building the port. Successfully tested combination of options: WITH_DEBUG=true WITH_IPV6=true WITHOUT_ADMINPORT=true WITHOUT_STATS=true WITH_DPD=true WITH_NATT=true WITH_NATTF=true WITH_FRAG=true WITH_HYBRID=true WITHOUT_PAM=true WITHOUT_RADIUS=true WITHOUT_LDAP=true WITHOUT_GSSAPI=true WITHOUT_SAUNSPEC=true WITH_RC5=true WITH_IDEA=true WITHOUT_READLINE=true ------------------------------------------------------------------------ /bz -- Bjoern A. Zeeb What was I talking about and who are you again?