FAST_IPSEC NAT-T support

Larry Baird lab at gta.com
Mon Sep 18 13:42:47 PDT 2006 

On Mon, Sep 18, 2006 at 09:43:41PM +0200, Joerg Pulz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hi,
> 
> first of all, a big thanks to Yvan and Larry, and all others, for their 
> work. IPSEC_NAT_T is working fine for me with either IPSEC or FAST_IPSEC 
> with RELENG_6 as server and FAST_IPSEC with CURRENT (small modifications 
> after patching where necessary) as client.
> 
> 
> Regarding the /sbin/setkey against ${LOCALBASE}/sbin/setkey (ipsec-tools 
> version) discussion, i found a minor difference in the output between 
> those two when using aes/rijndael encryption and executing "setkey -D".
> The FreeBSD base version of setkey outputs something like this:
>  	E: rijndael-cbc  XXXXXXXX ...
> and the ipsec-tools version of setkey outputs this:
>  	E: 12  XXXXXXXX ...
> 
> The difference comes out of libipsec/pfkey_dump.c .
> In the FreeBSD base version of this file we have this:
> #ifdef SADB_X_EALG_RIJNDAELCBC
>          { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", },
> #endif
> 
> and in the ipsec-tools version this:
> #ifdef SADB_X_EALG_AESCBC
>          { SADB_X_EALG_AESCBC, "aes-cbc", },
> #endif
> 
> Unfortunately, we have no definition for SADB_X_EALG_AESCBC in FreeBSD's 
> pfkeyv2.h file. The definition for encryption algorithm number 12 in 
> pfkeyv2.h is the following:
> #define SADB_X_EALG_RIJNDAELCBC 12
> #define SADB_X_EALG_AES         12

I have attached a slight different and in mind cleaner patch for this
problem.  I initially thought the problem was with FreeBSD's pfkeyv2.h.
To be consistent it would seem that:
  #define SADB_X_EALG_AES         12
should be
  #define SADB_X_EALG_AESCBC      12

Looking at NetBSD, they have the same definition as FreeBSD.  It would
seem that this problem exists for both FreebSD and NetBSD.  For what its
worth, Linux uses SADB_X_EALG_AESCBC.


-- 
------------------------------------------------------------------------
Larry Baird                        | http://www.gta.com
Global Technology Associates, Inc. | Orlando, FL
Email: lab at gta.com                 | TEL 407-380-0220, FAX 407-380-6080
-------------- next part --------------
--- src/libipsec/pfkey_dump.c.orig	Mon Sep 18 16:20:41 2006
+++ src/libipsec/pfkey_dump.c	Mon Sep 18 16:22:17 2006
@@ -78,6 +78,9 @@
 #define SADB_X_EALG_RC5CBC	SADB_EALG_RC5CBC
 #endif
 #endif
+#if defined(SADB_X_EALG_AES) && ! defined(SADB_X_EALG_AESCBC)
+#define SADB_X_EALG_AESCBC  SADB_X_EALG_AES
+#endif
 
 #define GETMSGSTR(str, num) \
 do { \
--- src/setkey/token.l.orig	Mon Sep 18 16:20:55 2006
+++ src/setkey/token.l	Mon Sep 18 16:22:33 2006
@@ -84,6 +84,9 @@
 #ifndef SADB_X_EALG_AESCTR
 #define SADB_X_EALG_AESCTR	(-1)
 #endif
+#if defined(SADB_X_EALG_AES) && ! defined(SADB_X_EALG_AESCBC)
+#define SADB_X_EALG_AESCBC  SADB_X_EALG_AES
+#endif
 %}
 
 /* common section */

More information about the freebsd-net mailing list