Fwd: NATT patch and FreeBSD's setkey

Kurt Buff kurt.buff at gmail.com
Tue Feb 17 11:44:45 PST 2009 

My bad - didn't send to list. See below.


---------- Forwarded message ----------
From: Kurt Buff <kurt.buff at gmail.com>
Date: Tue, Feb 17, 2009 at 11:20 AM
Subject: Re: NATT patch and FreeBSD's setkey
To: "Bjoern A. Zeeb" <bzeeb-lists at lists.zabbadoz.net>


On Tue, Feb 17, 2009 at 6:41 AM, Bjoern A. Zeeb
<bzeeb-lists at lists.zabbadoz.net> wrote:
> On Tue, 17 Feb 2009, VANHULLEBUS Yvan wrote:
>
> Hi,
>
>> If someone has a magic solution without drawbacks, please tell us !
>
> I am not going to find my posting from a few years back but the
> solution is to keep the kernel and libipsec (and setkey) in base in
> sync and not install libipsec and setkey from the ipsec-tools port.
> Done.
>
> That obviously means that people who patch their kernel need to patch
> their user space as well but that should not be a problem as they
> rebuild anyway and need to build ipsec-tools racoon etc. on their own
> to use the new features as w/o changing the default options it doesn't
> work for nat-t.
>
> That also allows other 3rd party utilities using libipsec to continue
> to do so and use all "features" w/o needing another fork.
>
>
>
>>> Has anyone had any success using the patched FreeBSD along with racoon2.
>>
>> I just don't know what's the actual status of racoon2, but nat-t
>> patchset is public and everyone can send changes if that helps
>> interaction with other daemons (without breaking again the API if
>> possible.....).
>
> We have about 3 months left to get that patch in for 8; ideally 6
> weeks.  Can you update the nat-t patch in a way as discussed here
> before so that the extra address is in etc. and we can move forward?
>
> I basically do not care if racoon from ipsec-tools is not going to
> work for two weeks of HEAD or four as someone will quickly add a
> conditional patch to the port for a __FreeBSD_version > 8xxxxx and
> that can be removed once ipsec-tools properly detect the state of the
> system.
>
> /bz
>
> --
> Bjoern A. Zeeb                      The greatest risk is not taking one.

Forgive my ignorance, but is this the same patch required by'
/usr/ports/security/ike - Shrew Soft IKE daemon and client tools'?

Kurt

More information about the freebsd-net mailing list