Date: Tue, 17 Feb 2009 15:34:25 +0100 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: Riaan Kruger <riaank@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: NATT patch and FreeBSD's setkey Message-ID: <20090217143425.GA58591@zeninc.net> In-Reply-To: <85c4b1850902170448p7a59d50bt6bdaa89aa01c51d7@mail.gmail.com> References: <85c4b1850902170448p7a59d50bt6bdaa89aa01c51d7@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 17, 2009 at 02:48:06PM +0200, Riaan Kruger wrote: > I see a lot of good work done on the nat-t patches for FreeBSD and ipsec-tools. That's what we're trying to do, even if we know that there is still some work to do ! > I was wondering if the base setkey is due for an update? > If so is anyone looking to update it? Upgrading FreeBSD's setkey is not a new question.... Basically, there are various scenarios: - keep it (almost) without changes, it is enouth for basic (static) IPsec, and people who want to do dynamic keying, NAT-T, etc... will install ipsec-tools, so will have /usr/local/sbin/setkey. - same as upper, but do "something" to solve the problem when both /sbin/setkey and /usr/local/sbin/setkey (same for libipsec) are installed. - just remove setkey/libipsec from base system. People who want "real IPsec" will need ipsec-tools or something else, but we can't ensure no one will just need setkey/libipsec... - sync FreeBSD's setkey/libipsec from ipsec-tools. That won't solve all issues (/sbin Vs /usr/local/sbin), and this will need regular syncs with ipsec-tools. - Same as upper, but remove sources from /usr/src, consider ipsec-tools as a contrib (in /usr/src/contrib) and do "something" to automagically update sources when needed (as in /usr/ports). All those solutions solve some parts of the problems (except the first one, of course), but keeps/generates some others.... If someone has a magic solution without drawbacks, please tell us ! > Has anyone had any success using the patched FreeBSD along with racoon2. I just don't know what's the actual status of racoon2, but nat-t patchset is public and everyone can send changes if that helps interaction with other daemons (without breaking again the API if possible.....). Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090217143425.GA58591>