FAST_IPSEC NAT-T support

Joerg Pulz Joerg.Pulz at frm2.tum.de
Mon Sep 18 12:44:08 PDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

first of all, a big thanks to Yvan and Larry, and all others, for their 
work. IPSEC_NAT_T is working fine for me with either IPSEC or FAST_IPSEC 
with RELENG_6 as server and FAST_IPSEC with CURRENT (small modifications 
after patching where necessary) as client.


Regarding the /sbin/setkey against ${LOCALBASE}/sbin/setkey (ipsec-tools 
version) discussion, i found a minor difference in the output between 
those two when using aes/rijndael encryption and executing "setkey -D".
The FreeBSD base version of setkey outputs something like this:
 	E: rijndael-cbc  XXXXXXXX ...
and the ipsec-tools version of setkey outputs this:
 	E: 12  XXXXXXXX ...

The difference comes out of libipsec/pfkey_dump.c .
In the FreeBSD base version of this file we have this:
#ifdef SADB_X_EALG_RIJNDAELCBC
         { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", },
#endif

and in the ipsec-tools version this:
#ifdef SADB_X_EALG_AESCBC
         { SADB_X_EALG_AESCBC, "aes-cbc", },
#endif

Unfortunately, we have no definition for SADB_X_EALG_AESCBC in FreeBSD's 
pfkeyv2.h file. The definition for encryption algorithm number 12 in 
pfkeyv2.h is the following:
#define SADB_X_EALG_RIJNDAELCBC 12
#define SADB_X_EALG_AES         12

I'm not sure which one is right in this case, but as a quick fix i've 
attached two small patches for the ipsec-tools port.
Simply copy both files to ${PORTSDIR}/security/ipsec-tools/files and 
rebuild/reinstall the port.

Any comments on this?

Kind regards
Joerg

- -- 
The beginning is the most important part of the work.
 				-Plato
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFDvbwSPOsGF+KA+MRAuofAKCoYZnYVBFOTsV4WtEZKhcl2tKp6gCfYLrw
/vYWOKnjgBUe0zMppDNFarQ=
=OH/c
-----END PGP SIGNATURE-----
-------------- next part --------------
--- src/libipsec/pfkey_dump.c.orig	Mon Sep 18 20:56:02 2006
+++ src/libipsec/pfkey_dump.c	Mon Sep 18 20:58:13 2006
@@ -190,6 +190,9 @@
 #ifdef SADB_X_EALG_AESCBC
 	{ SADB_X_EALG_AESCBC, "aes-cbc", },
 #endif
+#ifdef SADB_X_EALG_RIJNDAELCBC
+	{ SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", },
+#endif
 #ifdef SADB_X_EALG_TWOFISHCBC
 	{ SADB_X_EALG_TWOFISHCBC, "twofish-cbc", },
 #endif
-------------- next part --------------
--- src/setkey/token.l.orig	Mon Sep 18 21:30:18 2006
+++ src/setkey/token.l	Mon Sep 18 21:31:05 2006
@@ -208,8 +208,8 @@
 #endif
 }
 <S_ENCALG>rijndael-cbc	{ 
-#ifdef SADB_X_EALG_AESCBC
-	yylval.num = SADB_X_EALG_AESCBC; BEGIN INITIAL; return(ALG_ENC); 
+#ifdef SADB_X_EALG_RIJNDAELCBC
+	yylval.num = SADB_X_EALG_RIJNDAELCBC; BEGIN INITIAL; return(ALG_ENC); 
 #endif
 }
 <S_ENCALG>aes-ctr	{ yylval.num = SADB_X_EALG_AESCTR; BEGIN INITIAL; return(ALG_ENC); }

More information about the freebsd-net mailing list