[same mail sent both on ipsec-tools-devel and freebsd-net, please use respective MLs for potential issues on each side]
Hi all. Here is a beta patch which cleans the way PFKey exchanges NAT-T ports between kernel and userland, available at: http://people.freebsd.org/~vanhu/NAT-T/experimental/ patch-FreeBSD-TRUNK-NATT-pfkey-clean-<date>.diff is the whole FreeBSD NAT-T patchset (also available on perforce.freebsd.org for those who have access). patch-ipsec-tools-HEAD-NATT-pfkey-cleanup-<date>.diff applies on ipsec-tools CVS HEAD. With those patches, NAT-T ports are now always sent via SADB_X_EXT_NAT_T_[S|D]PORT, and never as ports in SADB_EXT_ADDRESS_[SRC|DST] (which is not RFC2367 compliant) Both ways are more or less used actually. Basic tests with those patches works (a tunnel with NAT-T negociates and works), but please note those patches are in a directory called "experimental". At least, setkey hasn't be updated yet, and some cleanups will need to be done before commiting. Compatibility with existing IPsec+NAT-T stacks is also an issue (if you compile without NAT-T support, you'll have NO issue at all) : - racoon + patch won't work correctly on FreeBSD + old NAT-T patch (I'll generate at least an updated patch for FreeBSD 7.x). - racoon + patch won't work correctly on NetBSD + NAT-T enabled. - racoon + patch may work as good or even better on Linux... or not... - racoon without patch won't work correctly on FreeBSD + new NAT-T patch. - racoon without patch won't work correctly on updated NetBSD + NAT-T (no NetBSD patch yet). Ipsec-tools team has still not decided how such compatibility issues will be handled (or not...), any (good) idea is welcome ! Please send feedbacks/bug reports/patches/anything else directly on ipsec-tools-devel or freebsd-net MLs (for respective patches), so everyone interested will have the info. Yvan. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
