Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Apr 2012 11:59:45 +0200
From:      VANHULLEBUS Yvan <vanhu@FreeBSD.org>
To:        Zmiter <zmiterby@gmail.com>
Cc:        stable@freebsd.org
Subject:   Re:  Support for IPSec NAT-T in transoprt mode
Message-ID:  <20120416095945.GA29824@zeninc.net>
In-Reply-To: <4F8ACFB3.5040807@gmail.com>
References:  <4F87AB6F.4050504@gmail.com> <22CC7FDB-162E-44CD-8EEA-0B5B8B560F8B@lists.zabbadoz.net> <4F8ACFB3.5040807@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi.


On Sun, Apr 15, 2012 at 04:40:03PM +0300, Zmiter wrote:
> 14.04.2012 19:59, Bjoern A. Zeeb ??????????????:
> >On 13. Apr 2012, at 04:28 , Zmiter wrote:
> >
> >>Hello.
> >>Does FreeBSD 8.[0-4] support IPSec NAT-T in transport mode? Or it's still 
> >>in broken state?
> >It's not broken; it was never implemented.  No FreeBSD tree shipped does
> >support transport mode at this time.  There are patches but you also need
> >to fix ipsec-tools or your ike daemon.  If you do the latter I can commit
> >the former.
> >
> >/bz
> >
> Where could I get that patches? I'd like to test them and to see what 
> could I do with them.

You can get kernel patches in kern/146190, but as said in the pr and
by Bjoern, it needs some work on userland (IKE daemon).


> And, if it's really so difficult to implement transport mode in kernel 
> some way,

I didn't review/try the patch, but kernel part seems to be done.

> describe it (I think, all the work for third parties will be 
> implemented through pfkey interface), and wait some time (or may be help 
> a little) until it'll be implemented in ipsec-tools.
> It's not the egg and chicken problem, may be the kernel must be the 
> first. Or may be I'm not in theme so deep? Is it really some sort or big 
> and principal incompatibilities with ipsec-tools?

That's why I took the pr a while ago: to have a look at both parts
(kernel and ipsec-tools) and try/commit that once patches exists for
both.

Afaik, no one already worked on the userland part for ipsec-tools
(contact me if I'm wrong !).


Yvan.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120416095945.GA29824>