From owner-freebsd-net@FreeBSD.ORG Tue Feb 17 14:45:07 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA76C1065675; Tue, 17 Feb 2009 14:45:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 91D328FC1D; Tue, 17 Feb 2009 14:45:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 108A841C6BB; Tue, 17 Feb 2009 15:45:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id l4A6LG8CB9xh; Tue, 17 Feb 2009 15:45:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id AE32241C6A3; Tue, 17 Feb 2009 15:45:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id BD6F84448E6; Tue, 17 Feb 2009 14:41:41 +0000 (UTC) Date: Tue, 17 Feb 2009 14:41:41 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: VANHULLEBUS Yvan In-Reply-To: <20090217143425.GA58591@zeninc.net> Message-ID: <20090217143409.J53478@maildrop.int.zabbadoz.net> References: <85c4b1850902170448p7a59d50bt6bdaa89aa01c51d7@mail.gmail.com> <20090217143425.GA58591@zeninc.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org, Riaan Kruger Subject: Re: NATT patch and FreeBSD's setkey X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 14:45:08 -0000 On Tue, 17 Feb 2009, VANHULLEBUS Yvan wrote: Hi, > If someone has a magic solution without drawbacks, please tell us ! I am not going to find my posting from a few years back but the solution is to keep the kernel and libipsec (and setkey) in base in sync and not install libipsec and setkey from the ipsec-tools port. Done. That obviously means that people who patch their kernel need to patch their user space as well but that should not be a problem as they rebuild anyway and need to build ipsec-tools racoon etc. on their own to use the new features as w/o changing the default options it doesn't work for nat-t. That also allows other 3rd party utilities using libipsec to continue to do so and use all "features" w/o needing another fork. >> Has anyone had any success using the patched FreeBSD along with racoon2. > > I just don't know what's the actual status of racoon2, but nat-t > patchset is public and everyone can send changes if that helps > interaction with other daemons (without breaking again the API if > possible.....). We have about 3 months left to get that patch in for 8; ideally 6 weeks. Can you update the nat-t patch in a way as discussed here before so that the extra address is in etc. and we can move forward? I basically do not care if racoon from ipsec-tools is not going to work for two weeks of HEAD or four as someone will quickly add a conditional patch to the port for a __FreeBSD_version > 8xxxxx and that can be removed once ipsec-tools properly detect the state of the system. /bz -- Bjoern A. Zeeb The greatest risk is not taking one.