IPSEC ESP NULL no longer works in -CURRENT
Bruce M Simpson
bms at spc.org
Thu May 13 05:25:57 PDT 2004
Hi,
I've tried both FAST_IPSEC and KAME IPSEC from my last 'working' snapshot
of -CURRENT which is dated April 20th, and neither seem to allow the use
of the NULL encryption algorithm (RFC2410).
I use this quite regularly to implement tunnels where confidentiality isn't
required, but the ability to traverse ISP filters (which permit ESP traffic,
but not GRE or IPIP for example) is required.
From what I can gather with setkey -x, all requests to set up an SA with
SADB_EALG_NULL return an errno of 22 (Invalid argument) for both
implementations: key_add: invalid message is passed.
I haven't drilled down as far as single-stepping through the code; difficult
to do on this system as it's the core router for our local network, an update
to a recent 5-CURRENT was needed as we plan to run pf's NAT with a simple
ADSL-PPPoA-Ethernet bridge device as our main Internet link here.
Before I go tearing into netipsec and netkey, does anybody have any ideas
how this functionality might have regressed?
Regards,
BMS
More information about the freebsd-current
mailing list