NAT-T support for IPSec stack

VANHULLEBUS Yvan vanhu_bsd at
Tue Aug 2 13:53:19 GMT 2005

Hi all.

For some months now, ipsec-tools is now the "official" version of
racoon, the KAME's isakmp daemon.

Ipsec-tools support NAT-Traversal (RFCs 3947 / 3948), but needs some
kernel support for that.

This kernel support has been done for the Linux 2.6 Kernel for some
time, has been done for NetBSD some months ago, and I made a similar
patchset for FreeBSD. 

The FreeBSD 4 patchset is used for some month by various people, and I
recently ported it to the FreeBSD 6 kernel source.

The first version of this patch can be found here:

There are still some things to do for this patch, starting by support
for FAST_IPSEC (it only works with IPSEC for now) and probably some
cleanup (ENABLE_NATT => something else ?, etc...).

As I don't want to keep porting such patch over versions, as some
people already asked me lots of things about this patch, and as it
would be interesting to have it widely used by people, I would be
happy to do "what is needed" to have it reported to the FreeBSD source

Are you interested in it ?

Do you have some comments on the actual version, some things that
should be done before reporting it ?

Of course, it would also be interesting to have an ipsec-tools port,
I'll contact the ports list for such an integration.


More information about the freebsd-net mailing list