Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 21 Jun 2006 01:20:17 +1000
From:      Michael Vince <mv@thebeastie.org>
To:        VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
Cc:        net@freebsd.org
Subject:   Re: FAST_IPSEC and NAT-T
Message-ID:  <44981231.4060001@thebeastie.org>
In-Reply-To: <20060620135939.GB28424@zen.inc>
References:  <4497F777.4040206@thebeastie.org> <20060620135939.GB28424@zen.inc>
next in thread | previous in thread | raw e-mail | index | archive | help 
VANHULLEBUS Yvan wrote:

>On Tue, Jun 20, 2006 at 11:26:15PM +1000, Michael Vince wrote:
>  
>
>>Hey All,
>>When installing the ipsec-tools it says if you want NAT-T you need to 
>>install this patch, http://ipsec-tools.sourceforge.net/freebsd6-natt.diff
>>Can any one tell me if this patch works with Fast_ipsec or is it just 
>>for the other ipsec?
>>    
>>
>
>Hi.
>
>I didn't have time to port it to FAST_IPSEC now, so it currently only
>works with IPSEC.
>
>But FAST_IPSEC support is on my TODO list, and shouldn't be too
>difficult.... when I'll have time to work on it, and when we'll
>synchronize with other people who are actually working on IPSec
>stacks.
>
>
>Yvan.
>  
>
OK cool, the thing that really turns my off about that IPSec is when I 
reboot with it compiled in says "Expect reduced performance" because its 
not mpsafe.

Also I just tried to compile a kernel with that Nat-T patch on the other 
IPSEC kernel on 6.1-release and it failed.
I can't think of anything I have done wrong on this machine its pretty 
fresh, I did cvsup with "RELENG_6_1" before hand
maybe there is a tiny enough about of changes since the RELENG_6_1_0 
release for it to fail but I didn't notice anything serious changed, I 
also used the new pure C csup over cvsup client.

The patch installed fine with no errors but the kernel failed to compile 
ending with this..

/usr/src/sys/netinet/udp_usrreq.c:1046: warning: 'udp4_espinudp' defined 
but not used

The kernel was quite generic listed here below, the GENERIC2 just  
missing a few things like scsi and raid bits this machine doesn't need.

include GENERIC2

ident           FIREWALL

options DEVICE_POLLING
options HZ=1000

options         IPSEC
options         IPSEC_ESP
options         IPSEC_DEBUG

#options         FAST_IPSEC
#device crypto
#device cryptodev

options ALTQ

options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ


Mike

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44981231.4060001>