FAST_IPSEC NAT-T support
VANHULLEBUS Yvan
vanhu_bsd at zeninc.net
Mon Sep 18 07:52:10 PDT 2006
On Sun, Sep 17, 2006 at 11:58:17AM -0400, Scott Ullrich wrote:
> On 9/17/06, VANHULLEBUS Yvan <vanhu_bsd at zeninc.net> wrote:
> >Make sure your ipsec-tools port have been recompiled after your system
> >has been patched / compiled / upgraded, and use
> >/usr/local/sbin/setkey.
> >
> >FreeBSD's setkey does not (yet ?) support NAT-T extensions at all.
>
> I tried both /sbin/setkey and /usr/locals/bin/setkey and both result
> in the same Invalid extension type errors.
Strange....
[....]
> # /usr/local/sbin/setkey -D
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
>
> Can you think of anything else to try? I re-compiled ipsec-tools on
> the same host before sending this.
That really looks like ipsec-tools have been compiled without NAT-T
support.
By default in FreeBSd's port, NAT-T support is enabled if support is
detected on the system (checks for some structs in
include/net/pfkeyv2.h).
Can you compile again ipsec-tools port, but not clean it, and check in
config.h if you have NAT-T support enabled.
Yvan.
--
NETASQ
http://www.netasq.com
More information about the freebsd-net
mailing list