Date: Tue, 19 Sep 2006 10:04:51 +0200 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: freebsd-net@freebsd.org Subject: Re: FAST_IPSEC NAT-T support Message-ID: <20060919080451.GA3502@zen.inc> In-Reply-To: <20060918210519.J978@hades.admin.frm2> References: <20060918180053.73854.qmail@gta.com> <20060918210519.J978@hades.admin.frm2>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 18, 2006 at 09:43:41PM +0200, Joerg Pulz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
Hi.
> first of all, a big thanks to Yvan and Larry, and all others, for their
> work. IPSEC_NAT_T is working fine for me with either IPSEC or FAST_IPSEC
> with RELENG_6 as server and FAST_IPSEC with CURRENT (small modifications
> after patching where necessary) as client.
Yes, I know there are small (quite all indentation) changes since
RELENG_6 which needs a separate patch.
> Regarding the /sbin/setkey against ${LOCALBASE}/sbin/setkey (ipsec-tools
> version) discussion, i found a minor difference in the output between
> those two when using aes/rijndael encryption and executing "setkey -D".
> The FreeBSD base version of setkey outputs something like this:
> E: rijndael-cbc XXXXXXXX ...
> and the ipsec-tools version of setkey outputs this:
> E: 12 XXXXXXXX ...
>
> The difference comes out of libipsec/pfkey_dump.c .
> In the FreeBSD base version of this file we have this:
> #ifdef SADB_X_EALG_RIJNDAELCBC
> { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", },
> #endif
>
> and in the ipsec-tools version this:
> #ifdef SADB_X_EALG_AESCBC
> { SADB_X_EALG_AESCBC, "aes-cbc", },
> #endif
Rijndael IS AES, and AES is now the "official" name....
> Unfortunately, we have no definition for SADB_X_EALG_AESCBC in FreeBSD's
> pfkeyv2.h file. The definition for encryption algorithm number 12 in
> pfkeyv2.h is the following:
> #define SADB_X_EALG_RIJNDAELCBC 12
> #define SADB_X_EALG_AES 12
>
> I'm not sure which one is right in this case, but as a quick fix i've
> attached two small patches for the ipsec-tools port.
> Simply copy both files to ${PORTSDIR}/security/ipsec-tools/files and
> rebuild/reinstall the port.
Larry provided very quickly another patch which does the reverse
thing (always find AES), and I reported the patch to ipsec-tools HEAD,
so it will be on 0.7 branch (should come soon).
If there is a real need to include that patch in FreeBSD's port before
that, please submit a pr and I'll add the patch to FreeBSD's port.
Yvan.
--
NETASQ
http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060919080451.GA3502>