NATT patch and FreeBSD's setkey
VANHULLEBUS Yvan
vanhu at FreeBSD.org
Tue Feb 17 06:28:57 PST 2009
On Tue, Feb 17, 2009 at 02:48:06PM +0200, Riaan Kruger wrote:
> I see a lot of good work done on the nat-t patches for FreeBSD and ipsec-tools.
That's what we're trying to do, even if we know that there is still
some work to do !
> I was wondering if the base setkey is due for an update?
> If so is anyone looking to update it?
Upgrading FreeBSD's setkey is not a new question....
Basically, there are various scenarios:
- keep it (almost) without changes, it is enouth for basic (static)
IPsec, and people who want to do dynamic keying, NAT-T, etc... will
install ipsec-tools, so will have /usr/local/sbin/setkey.
- same as upper, but do "something" to solve the problem when both
/sbin/setkey and /usr/local/sbin/setkey (same for libipsec) are
installed.
- just remove setkey/libipsec from base system. People who want "real
IPsec" will need ipsec-tools or something else, but we can't ensure
no one will just need setkey/libipsec...
- sync FreeBSD's setkey/libipsec from ipsec-tools. That won't solve
all issues (/sbin Vs /usr/local/sbin), and this will need regular
syncs with ipsec-tools.
- Same as upper, but remove sources from /usr/src, consider
ipsec-tools as a contrib (in /usr/src/contrib) and do "something" to
automagically update sources when needed (as in /usr/ports).
All those solutions solve some parts of the problems (except the first
one, of course), but keeps/generates some others....
If someone has a magic solution without drawbacks, please tell us !
> Has anyone had any success using the patched FreeBSD along with racoon2.
I just don't know what's the actual status of racoon2, but nat-t
patchset is public and everyone can send changes if that helps
interaction with other daemons (without breaking again the API if
possible.....).
Yvan.
More information about the freebsd-net
mailing list