Cannot get a raw ESP socket with IPFW2 enabled
Christian Lackas
c.lackas at kfa-juelich.de
Sat Jun 5 16:34:54 GMT 2004
Hello,
I have problems getting a raw ESP socket on a FreeBSD 4.10-RELEASE (and
also 4.9-RELEASE and a current 4.10-STABLE) system if IPFW2 is enabled
in the kernel configuration:
The following test program
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
int main() {
int fd;
fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
printf("fd = %d\n", fd);
printf("IPPROTO_ESP = %d\n",
IPPROTO_ESP);
if (fd == -1)
perror("socket(SOCK_RAW)");
}
gives me a:
fd = -1
IPPROTO_ESP = 50
socket(SOCK_RAW): Protocol not supported
But without IPFW2 it works:
fd = -1
IPPROTO_ESP = 50
socket(SOCK_RAW): Operation not permitted
and with root rights it is also permitted:
fd = 3
IPPROTO_ESP = 50
Any idea how to fix this?
The complete (working) kernel config file can be found under
http://www.lackas.net/freebsd/KERNEL.antares
In this file neither FAST_IPSEC nor IPSEC (nor IPSEC_ESP) are enabled.
BTW: Such a socket is needed by the security/vpnc port. It works
perfectly on FreeBSD 5 (which AFAIK uses the firewall that is named
IPFW2 unter 4, doesn't it?). The vpnc port handles the complete IPSec
stuff in user space, so no support in the kernel is needed (apart from
this raw ESP socket).
Regards,
Christian
--
Forschungszentrum Juelich Central Institute For Electronics (ZEL)
Leo-Brandt-Strasse 52425 Juelich, Germany
Tel: +49-2461-61 2425 Fax: +49-2461-61 3990
More information about the freebsd-stable
mailing list