FAST_IPSEC NAT-T support

VANHULLEBUS Yvan vanhu_bsd at zeninc.net
Tue Sep 19 01:05:01 PDT 2006 

On Mon, Sep 18, 2006 at 09:43:41PM +0200, Joerg Pulz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,

Hi.


> first of all, a big thanks to Yvan and Larry, and all others, for their 
> work. IPSEC_NAT_T is working fine for me with either IPSEC or FAST_IPSEC 
> with RELENG_6 as server and FAST_IPSEC with CURRENT (small modifications 
> after patching where necessary) as client.

Yes, I know there are small (quite all indentation) changes since
RELENG_6 which needs a separate patch.


> Regarding the /sbin/setkey against ${LOCALBASE}/sbin/setkey (ipsec-tools 
> version) discussion, i found a minor difference in the output between 
> those two when using aes/rijndael encryption and executing "setkey -D".
> The FreeBSD base version of setkey outputs something like this:
> 	E: rijndael-cbc  XXXXXXXX ...
> and the ipsec-tools version of setkey outputs this:
> 	E: 12  XXXXXXXX ...
> 
> The difference comes out of libipsec/pfkey_dump.c .
> In the FreeBSD base version of this file we have this:
> #ifdef SADB_X_EALG_RIJNDAELCBC
>         { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", },
> #endif
> 
> and in the ipsec-tools version this:
> #ifdef SADB_X_EALG_AESCBC
>         { SADB_X_EALG_AESCBC, "aes-cbc", },
> #endif

Rijndael IS AES, and AES is now the "official" name....


> Unfortunately, we have no definition for SADB_X_EALG_AESCBC in FreeBSD's 
> pfkeyv2.h file. The definition for encryption algorithm number 12 in 
> pfkeyv2.h is the following:
> #define SADB_X_EALG_RIJNDAELCBC 12
> #define SADB_X_EALG_AES         12
> 
> I'm not sure which one is right in this case, but as a quick fix i've 
> attached two small patches for the ipsec-tools port.
> Simply copy both files to ${PORTSDIR}/security/ipsec-tools/files and 
> rebuild/reinstall the port.

Larry provided very quickly another patch which does the reverse
thing (always find AES), and I reported the patch to ipsec-tools HEAD,
so it will be on 0.7 branch (should come soon).

If there is a real need to include that patch in FreeBSD's port before
that, please submit a pr and I'll add the patch to FreeBSD's port.


Yvan.

-- 
NETASQ
http://www.netasq.com

More information about the freebsd-net mailing list