FAST_IPSEC and NAT-T
vanhu_bsd at zeninc.net
Tue Jun 20 15:30:18 UTC 2006
On Wed, Jun 21, 2006 at 01:20:17AM +1000, Michael Vince wrote:
> OK cool, the thing that really turns my off about that IPSec is when I
> reboot with it compiled in says "Expect reduced performance" because its
> not mpsafe.
> Also I just tried to compile a kernel with that Nat-T patch on the other
> IPSEC kernel on 6.1-release and it failed.
> I can't think of anything I have done wrong on this machine its pretty
> fresh, I did cvsup with "RELENG_6_1" before hand
> maybe there is a tiny enough about of changes since the RELENG_6_1_0
> release for it to fail but I didn't notice anything serious changed, I
> also used the new pure C csup over cvsup client.
> The patch installed fine with no errors but the kernel failed to compile
> ending with this..
> /usr/src/sys/netinet/udp_usrreq.c:1046: warning: 'udp4_espinudp' defined
> but not used
You are compiling without NAT-T support, and this function is not
properly #ifdef'ed in the public version of the patch.
It has been fixed in the new (not yet available) version, which also
provide new features (mainly support for multiple peers behind the
same public IP).
As ipsec-tools 0.6.6 is out now, I'll update the patch on ipsec-tools
> options IPSEC
> options IPSEC_ESP
> options IPSEC_DEBUG
Add "options IPSEC_NAT_T" here and it will compile.
More information about the freebsd-net