From owner-freebsd-net@FreeBSD.ORG Tue Jun 20 15:20:19 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E97F316A4D1 for ; Tue, 20 Jun 2006 15:20:19 +0000 (UTC) (envelope-from mv@thebeastie.org) Received: from p4.roq.com (ns1.ecoms.com [207.44.130.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BF4F43D48 for ; Tue, 20 Jun 2006 15:20:18 +0000 (GMT) (envelope-from mv@thebeastie.org) Received: from p4.roq.com (localhost.roq.com [127.0.0.1]) by p4.roq.com (Postfix) with ESMTP id 261CE4CD9C; Tue, 20 Jun 2006 15:20:37 +0000 (GMT) Received: from [192.168.0.6] (ppp157-158.static.internode.on.net [150.101.157.158]) by p4.roq.com (Postfix) with ESMTP id 1E9734CD72; Tue, 20 Jun 2006 15:20:35 +0000 (GMT) Message-ID: <44981231.4060001@thebeastie.org> Date: Wed, 21 Jun 2006 01:20:17 +1000 From: Michael Vince User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.13) Gecko/20060526 X-Accept-Language: en-us, en MIME-Version: 1.0 To: VANHULLEBUS Yvan References: <4497F777.4040206@thebeastie.org> <20060620135939.GB28424@zen.inc> In-Reply-To: <20060620135939.GB28424@zen.inc> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: net@freebsd.org Subject: Re: FAST_IPSEC and NAT-T X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2006 15:20:20 -0000 VANHULLEBUS Yvan wrote: >On Tue, Jun 20, 2006 at 11:26:15PM +1000, Michael Vince wrote: > > >>Hey All, >>When installing the ipsec-tools it says if you want NAT-T you need to >>install this patch, http://ipsec-tools.sourceforge.net/freebsd6-natt.diff >>Can any one tell me if this patch works with Fast_ipsec or is it just >>for the other ipsec? >> >> > >Hi. > >I didn't have time to port it to FAST_IPSEC now, so it currently only >works with IPSEC. > >But FAST_IPSEC support is on my TODO list, and shouldn't be too >difficult.... when I'll have time to work on it, and when we'll >synchronize with other people who are actually working on IPSec >stacks. > > >Yvan. > > OK cool, the thing that really turns my off about that IPSec is when I reboot with it compiled in says "Expect reduced performance" because its not mpsafe. Also I just tried to compile a kernel with that Nat-T patch on the other IPSEC kernel on 6.1-release and it failed. I can't think of anything I have done wrong on this machine its pretty fresh, I did cvsup with "RELENG_6_1" before hand maybe there is a tiny enough about of changes since the RELENG_6_1_0 release for it to fail but I didn't notice anything serious changed, I also used the new pure C csup over cvsup client. The patch installed fine with no errors but the kernel failed to compile ending with this.. /usr/src/sys/netinet/udp_usrreq.c:1046: warning: 'udp4_espinudp' defined but not used The kernel was quite generic listed here below, the GENERIC2 just missing a few things like scsi and raid bits this machine doesn't need. include GENERIC2 ident FIREWALL options DEVICE_POLLING options HZ=1000 options IPSEC options IPSEC_ESP options IPSEC_DEBUG #options FAST_IPSEC #device crypto #device cryptodev options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_CDNR options ALTQ_PRIQ Mike