FAST_IPSEC and NAT-T
Michael Vince
mv at thebeastie.org
Tue Jun 20 15:20:20 UTC 2006
VANHULLEBUS Yvan wrote:
>On Tue, Jun 20, 2006 at 11:26:15PM +1000, Michael Vince wrote:
>
>
>>Hey All,
>>When installing the ipsec-tools it says if you want NAT-T you need to
>>install this patch, http://ipsec-tools.sourceforge.net/freebsd6-natt.diff
>>Can any one tell me if this patch works with Fast_ipsec or is it just
>>for the other ipsec?
>>
>>
>
>Hi.
>
>I didn't have time to port it to FAST_IPSEC now, so it currently only
>works with IPSEC.
>
>But FAST_IPSEC support is on my TODO list, and shouldn't be too
>difficult.... when I'll have time to work on it, and when we'll
>synchronize with other people who are actually working on IPSec
>stacks.
>
>
>Yvan.
>
>
OK cool, the thing that really turns my off about that IPSec is when I
reboot with it compiled in says "Expect reduced performance" because its
not mpsafe.
Also I just tried to compile a kernel with that Nat-T patch on the other
IPSEC kernel on 6.1-release and it failed.
I can't think of anything I have done wrong on this machine its pretty
fresh, I did cvsup with "RELENG_6_1" before hand
maybe there is a tiny enough about of changes since the RELENG_6_1_0
release for it to fail but I didn't notice anything serious changed, I
also used the new pure C csup over cvsup client.
The patch installed fine with no errors but the kernel failed to compile
ending with this..
/usr/src/sys/netinet/udp_usrreq.c:1046: warning: 'udp4_espinudp' defined
but not used
The kernel was quite generic listed here below, the GENERIC2 just
missing a few things like scsi and raid bits this machine doesn't need.
include GENERIC2
ident FIREWALL
options DEVICE_POLLING
options HZ=1000
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG
#options FAST_IPSEC
#device crypto
#device cryptodev
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ
Mike
More information about the freebsd-net
mailing list