From owner-freebsd-net@FreeBSD.ORG  Fri Sep 15 20:52:48 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 01BCA16A407
	for <freebsd-net@freebsd.org>; Fri, 15 Sep 2006 20:52:48 +0000 (UTC)
	(envelope-from lab@gta.com)
Received: from gta.com (gta-edge-199-20.gta.com [199.120.225.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id 6851943D55
	for <freebsd-net@freebsd.org>; Fri, 15 Sep 2006 20:52:47 +0000 (GMT)
	(envelope-from lab@gta.com)
Received: (qmail 95154 invoked by uid 1000); 15 Sep 2006 20:52:46 -0000
Date: Fri, 15 Sep 2006 16:52:46 -0400
From: Larry Baird <lab@gta.com>
To: Scott Ullrich <sullrich@gmail.com>
Message-ID: <20060915165246.A92818@gta.com>
References: <20060914093034.A83805@gta.com>
	<d5992baf0609141843t5b81cf77w4d35a3a36beced1c@mail.gmail.com>
	<20060915091430.A45488@gta.com>
	<d5992baf0609150907p64ce6394y4b1fbb3309e76d53@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <d5992baf0609150907p64ce6394y4b1fbb3309e76d53@mail.gmail.com>;
	from sullrich@gmail.com on Fri, Sep 15, 2006 at 12:07:58PM -0400
Cc: freebsd-net@freebsd.org
Subject: Re: FAST_IPSEC NAT-T support
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Sep 2006 20:52:48 -0000

On Fri, Sep 15, 2006 at 12:07:58PM -0400, Scott Ullrich wrote:
> On 9/15/06, Larry Baird <lab@gta.com> wrote:
> > On Thu, Sep 14, 2006 at 09:43:38PM -0400, Scott Ullrich wrote:
> > > On 9/14/06, Larry Baird <lab@gta.com> wrote:
> > > > Please find attached two patches for adding FAST_IPSEC NAT-T support to
> > > > FreeBSD 6.x.  The patch "freebsd6-fastipsec-natt.diff" is dependent
> > > > upon Yvan's IPSEC NAT-T patch "freebsd6-natt.diff" which can be found at
> > > > http://ipsec-tools.cvs.sourceforge.net/ipsec-tools/htdocs/.  The second
> > > > patch "freebsd6-ipsec-fastipsec-natt.diff" is a cumulative patch
> > > > combining both patches together.
> 
> Great, thanks!
> 
> Next problem that I have encountered (with FAST_IPSEC) is:
> 
> # /sbin/setkey -D
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> Invalid extension type
> 
> Let me know if I can do any further testing, still waiting for status
> reports from a few of the pfSense users, but IPSEC seems to work okay
> even with this small cosmetic setkey issue.
Just to be sure I understand the issue.  You have a kernel built
with the FAST_IPSEC NAT-T patches but without the IPSEC_NAT_T option.
Your VPNs work but you are unable to dump your SAD entries.

Larry


-- 
------------------------------------------------------------------------
Larry Baird                        | http://www.gta.com
Global Technology Associates, Inc. | Orlando, FL
Email: lab@gta.com                 | TEL 407-380-0220, FAX 407-380-6080