From owner-freebsd-net@FreeBSD.ORG  Mon Sep 18 14:52:10 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 57EF816A412
	for <freebsd-net@freebsd.org>; Mon, 18 Sep 2006 14:52:10 +0000 (UTC)
	(envelope-from vanhu@zeninc.net)
Received: from leia.fdn.fr (ns0.fdn.org [80.67.169.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B533243D6B
	for <freebsd-net@freebsd.org>; Mon, 18 Sep 2006 14:52:08 +0000 (GMT)
	(envelope-from vanhu@zeninc.net)
Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25])
	by leia.fdn.fr (8.13.3/8.13.3/FDN) with ESMTP id k8IEq6S4000455
	for <freebsd-net@freebsd.org>; Mon, 18 Sep 2006 16:52:07 +0200
Received: by smtp.zeninc.net (smtpd, from userid 1000)
	id 17EEC3F17; Mon, 18 Sep 2006 16:52:01 +0200 (CEST)
Date: Mon, 18 Sep 2006 16:52:00 +0200
From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
To: freebsd-net@freebsd.org
Message-ID: <20060918145200.GA26025@zen.inc>
References: <20060914093034.A83805@gta.com>
	<d5992baf0609141843t5b81cf77w4d35a3a36beced1c@mail.gmail.com>
	<20060915091430.A45488@gta.com>
	<d5992baf0609150907p64ce6394y4b1fbb3309e76d53@mail.gmail.com>
	<20060917125531.GA1611@jayce.zen.inc>
	<d5992baf0609170858y107897c9k3039dbcb3d61d39a@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <d5992baf0609170858y107897c9k3039dbcb3d61d39a@mail.gmail.com>
User-Agent: All mail clients suck. This one just sucks less.
Subject: Re:  FAST_IPSEC NAT-T support
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Sep 2006 14:52:10 -0000

On Sun, Sep 17, 2006 at 11:58:17AM -0400, Scott Ullrich wrote:
> On 9/17/06, VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> wrote:
> >Make sure your ipsec-tools port have been recompiled after your system
> >has been patched / compiled / upgraded, and use
> >/usr/local/sbin/setkey.
> >
> >FreeBSD's setkey does not (yet ?) support NAT-T extensions at all.
> 
> I tried both /sbin/setkey and /usr/locals/bin/setkey and both result
> in the same Invalid extension type errors.

Strange....


[....]
> # /usr/local/sbin/setkey -D
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> 
> Can you think of anything else to try?  I re-compiled ipsec-tools on
> the same host before  sending this.

That really looks like ipsec-tools have been compiled without NAT-T
support.

By default in FreeBSd's port, NAT-T support is enabled if support is
detected on the system (checks for some structs in
include/net/pfkeyv2.h).

Can you compile again ipsec-tools port, but not clean it, and check in
config.h if you have NAT-T support enabled.


Yvan.

-- 
NETASQ
http://www.netasq.com