Where is IPSec NAT-T support?

VANHULLEBUS Yvan vanhu_bsd at zeninc.net
Wed Sep 6 00:01:50 PDT 2006


On Mon, Sep 04, 2006 at 01:59:47PM -0400, Scott Ullrich wrote:
> On 9/4/06, Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net> wrote:
> >Are you sure this is a clean RELENG_6_1 with the correct patch?
> >MD5 (freebsd6-natt.diff) = 5e7bb5a3203c8959928bf910d5498140
> Yes it was a clean RELENG_6_1.
> >I compiled this on i386 and am64 just a few days ago and everything
> >was fine.
> >
> >Perhaps contact me off-list and we'll post a summary once we found the
> >problem?
> Maybe it is because I am including FAST_IPSEC?   I have attempted to
> build and use a NAT-T kernel on atleast 7 attempts now.  Last of which
> was a couple months ago.

Actually, I did NOT make the FAST_IPSEC part of the patch.

Here is probably the good location and the good time for a small
summary of the patch's state:

- The public patch (A) works for IPSEC, and should apply on both
  RELENG_6 and RELENG_6_1 (some minor patching issues may need to be
  solved by hand, but it's just some indentation changes in the source
  code between the two versions).

- This public patch does NOT provide support for multiple peers behind
  the same NAT device.

- I have a newer version of the patch (B), against RELENG_6_1, which
  provides such support for multiples peers behind the same NAT
  device. I was about to put it in public place when someone raised a
  discutable implementation choice in the way ipsec-tools and kernel
  exchange some datas specific to that NAT-T support (I ported it from
  Manu's work on NetBSD).

- I guessed I would have quickly the time to look at it and to clean
  it up for both FreeBSD and NetBSD (and perhaps Linux), but I
  drastically lacked free time those last months.

- Some FreeBSD developpers already had a look at the patch, and are in
  contact with me to include it in the kernel, but it has been
  reported several times for various reasons.

- FAST_IPSEC support will be quite easy to do when all the other
  problems will be solved, and I guess Larry Baird will do it if I
  don't have free time for that quickly.

As I reported that work several time on the last months, I guess I'll
publish the actual version of the patch (B) those days, which will
already solve some problems for most people, then I'll start to do the
rest of the stuff (FAST_IPSEC and solve kernel/ipsec-tools
commnication design).

> The Kernel configuration file that I am trying to build is
> http://pfsense.com/cgi-bin/cvsweb.cgi/tools/builder_scripts/conf/pfSense.6?rev=1.32
> with the added options         IPSEC_NAT_T
> option.
> Maybe I am overlooking something simple?




More information about the freebsd-net mailing list