From owner-freebsd-current@FreeBSD.ORG Thu May 13 05:25:56 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E019E16A4CE for ; Thu, 13 May 2004 05:25:56 -0700 (PDT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4984943D62 for ; Thu, 13 May 2004 05:25:56 -0700 (PDT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 95D0F65218 for ; Thu, 13 May 2004 13:25:54 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 12133-05-8 for ; Thu, 13 May 2004 13:25:54 +0100 (BST) Received: from empiric.dek.spc.org (82-147-17-88.dsl.uk.rapidplay.com [82.147.17.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 26F9865216 for ; Thu, 13 May 2004 13:25:54 +0100 (BST) Received: by empiric.dek.spc.org (Postfix, from userid 1001) id 11E03612E; Thu, 13 May 2004 13:25:52 +0100 (BST) Date: Thu, 13 May 2004 13:25:52 +0100 From: Bruce M Simpson To: freebsd-current@FreeBSD.org Message-ID: <20040513122552.GD1678@empiric.dek.spc.org> Mail-Followup-To: freebsd-current@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Subject: IPSEC ESP NULL no longer works in -CURRENT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 12:25:57 -0000 Hi, I've tried both FAST_IPSEC and KAME IPSEC from my last 'working' snapshot of -CURRENT which is dated April 20th, and neither seem to allow the use of the NULL encryption algorithm (RFC2410). I use this quite regularly to implement tunnels where confidentiality isn't required, but the ability to traverse ISP filters (which permit ESP traffic, but not GRE or IPIP for example) is required. =46rom what I can gather with setkey -x, all requests to set up an SA with SADB_EALG_NULL return an errno of 22 (Invalid argument) for both implementations: key_add: invalid message is passed. I haven't drilled down as far as single-stepping through the code; difficult to do on this system as it's the core router for our local network, an upda= te to a recent 5-CURRENT was needed as we plan to run pf's NAT with a simple ADSL-PPPoA-Ethernet bridge device as our main Internet link here. Before I go tearing into netipsec and netkey, does anybody have any ideas how this functionality might have regressed? Regards, BMS