From owner-freebsd-stable@FreeBSD.ORG Mon Apr 16 10:08:56 2012 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DD4A4106564A for ; Mon, 16 Apr 2012 10:08:56 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 5336A8FC14 for ; Mon, 16 Apr 2012 10:08:56 +0000 (UTC) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id 088152798BC; Mon, 16 Apr 2012 11:59:46 +0200 (CEST) Received: by astro.zen.inc (Postfix, from userid 1000) id E80A31705A; Mon, 16 Apr 2012 11:59:45 +0200 (CEST) Date: Mon, 16 Apr 2012 11:59:45 +0200 From: VANHULLEBUS Yvan To: Zmiter Message-ID: <20120416095945.GA29824@zeninc.net> References: <4F87AB6F.4050504@gmail.com> <22CC7FDB-162E-44CD-8EEA-0B5B8B560F8B@lists.zabbadoz.net> <4F8ACFB3.5040807@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4F8ACFB3.5040807@gmail.com> User-Agent: All mail clients suck. This one just sucks less. Cc: stable@freebsd.org Subject: Re: Support for IPSec NAT-T in transoprt mode X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Apr 2012 10:08:56 -0000 Hi. On Sun, Apr 15, 2012 at 04:40:03PM +0300, Zmiter wrote: > 14.04.2012 19:59, Bjoern A. Zeeb ??????????????: > >On 13. Apr 2012, at 04:28 , Zmiter wrote: > > > >>Hello. > >>Does FreeBSD 8.[0-4] support IPSec NAT-T in transport mode? Or it's still > >>in broken state? > >It's not broken; it was never implemented. No FreeBSD tree shipped does > >support transport mode at this time. There are patches but you also need > >to fix ipsec-tools or your ike daemon. If you do the latter I can commit > >the former. > > > >/bz > > > Where could I get that patches? I'd like to test them and to see what > could I do with them. You can get kernel patches in kern/146190, but as said in the pr and by Bjoern, it needs some work on userland (IKE daemon). > And, if it's really so difficult to implement transport mode in kernel > some way, I didn't review/try the patch, but kernel part seems to be done. > describe it (I think, all the work for third parties will be > implemented through pfkey interface), and wait some time (or may be help > a little) until it'll be implemented in ipsec-tools. > It's not the egg and chicken problem, may be the kernel must be the > first. Or may be I'm not in theme so deep? Is it really some sort or big > and principal incompatibilities with ipsec-tools? That's why I took the pr a while ago: to have a look at both parts (kernel and ipsec-tools) and try/commit that once patches exists for both. Afaik, no one already worked on the userland part for ipsec-tools (contact me if I'm wrong !). Yvan.