Where is IPSec NAT-T support?
vanhu_bsd at zeninc.net
Wed Sep 6 00:01:50 PDT 2006
On Mon, Sep 04, 2006 at 01:59:47PM -0400, Scott Ullrich wrote:
> On 9/4/06, Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net> wrote:
> >Are you sure this is a clean RELENG_6_1 with the correct patch?
> >MD5 (freebsd6-natt.diff) = 5e7bb5a3203c8959928bf910d5498140
> Yes it was a clean RELENG_6_1.
> >I compiled this on i386 and am64 just a few days ago and everything
> >was fine.
> >Perhaps contact me off-list and we'll post a summary once we found the
> Maybe it is because I am including FAST_IPSEC? I have attempted to
> build and use a NAT-T kernel on atleast 7 attempts now. Last of which
> was a couple months ago.
Actually, I did NOT make the FAST_IPSEC part of the patch.
Here is probably the good location and the good time for a small
summary of the patch's state:
- The public patch (A) works for IPSEC, and should apply on both
RELENG_6 and RELENG_6_1 (some minor patching issues may need to be
solved by hand, but it's just some indentation changes in the source
code between the two versions).
- This public patch does NOT provide support for multiple peers behind
the same NAT device.
- I have a newer version of the patch (B), against RELENG_6_1, which
provides such support for multiples peers behind the same NAT
device. I was about to put it in public place when someone raised a
discutable implementation choice in the way ipsec-tools and kernel
exchange some datas specific to that NAT-T support (I ported it from
Manu's work on NetBSD).
- I guessed I would have quickly the time to look at it and to clean
it up for both FreeBSD and NetBSD (and perhaps Linux), but I
drastically lacked free time those last months.
- Some FreeBSD developpers already had a look at the patch, and are in
contact with me to include it in the kernel, but it has been
reported several times for various reasons.
- FAST_IPSEC support will be quite easy to do when all the other
problems will be solved, and I guess Larry Baird will do it if I
don't have free time for that quickly.
As I reported that work several time on the last months, I guess I'll
publish the actual version of the patch (B) those days, which will
already solve some problems for most people, then I'll start to do the
rest of the stuff (FAST_IPSEC and solve kernel/ipsec-tools
> The Kernel configuration file that I am trying to build is
> with the added options IPSEC_NAT_T
> Maybe I am overlooking something simple?
More information about the freebsd-net