From owner-freebsd-net@FreeBSD.ORG Tue Sep 19 08:05:01 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B74EF16A403 for ; Tue, 19 Sep 2006 08:05:01 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from leia.fdn.fr (ns0.fdn.org [80.67.169.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B8C943D45 for ; Tue, 19 Sep 2006 08:05:00 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by leia.fdn.fr (8.13.3/8.13.3/FDN) with ESMTP id k8J84uDl001586 for ; Tue, 19 Sep 2006 10:04:59 +0200 Received: by smtp.zeninc.net (smtpd, from userid 1000) id 6972D3F17; Tue, 19 Sep 2006 10:04:51 +0200 (CEST) Date: Tue, 19 Sep 2006 10:04:51 +0200 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Message-ID: <20060919080451.GA3502@zen.inc> References: <20060918180053.73854.qmail@gta.com> <20060918210519.J978@hades.admin.frm2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060918210519.J978@hades.admin.frm2> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: FAST_IPSEC NAT-T support X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Sep 2006 08:05:01 -0000 On Mon, Sep 18, 2006 at 09:43:41PM +0200, Joerg Pulz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, Hi. > first of all, a big thanks to Yvan and Larry, and all others, for their > work. IPSEC_NAT_T is working fine for me with either IPSEC or FAST_IPSEC > with RELENG_6 as server and FAST_IPSEC with CURRENT (small modifications > after patching where necessary) as client. Yes, I know there are small (quite all indentation) changes since RELENG_6 which needs a separate patch. > Regarding the /sbin/setkey against ${LOCALBASE}/sbin/setkey (ipsec-tools > version) discussion, i found a minor difference in the output between > those two when using aes/rijndael encryption and executing "setkey -D". > The FreeBSD base version of setkey outputs something like this: > E: rijndael-cbc XXXXXXXX ... > and the ipsec-tools version of setkey outputs this: > E: 12 XXXXXXXX ... > > The difference comes out of libipsec/pfkey_dump.c . > In the FreeBSD base version of this file we have this: > #ifdef SADB_X_EALG_RIJNDAELCBC > { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", }, > #endif > > and in the ipsec-tools version this: > #ifdef SADB_X_EALG_AESCBC > { SADB_X_EALG_AESCBC, "aes-cbc", }, > #endif Rijndael IS AES, and AES is now the "official" name.... > Unfortunately, we have no definition for SADB_X_EALG_AESCBC in FreeBSD's > pfkeyv2.h file. The definition for encryption algorithm number 12 in > pfkeyv2.h is the following: > #define SADB_X_EALG_RIJNDAELCBC 12 > #define SADB_X_EALG_AES 12 > > I'm not sure which one is right in this case, but as a quick fix i've > attached two small patches for the ipsec-tools port. > Simply copy both files to ${PORTSDIR}/security/ipsec-tools/files and > rebuild/reinstall the port. Larry provided very quickly another patch which does the reverse thing (always find AES), and I reported the patch to ipsec-tools HEAD, so it will be on 0.7 branch (should come soon). If there is a real need to include that patch in FreeBSD's port before that, please submit a pr and I'll add the patch to FreeBSD's port. Yvan. -- NETASQ http://www.netasq.com