From owner-freebsd-net@FreeBSD.ORG Tue Feb 17 14:28:57 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9754A106566B for ; Tue, 17 Feb 2009 14:28:57 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 525288FC1A for ; Tue, 17 Feb 2009 14:28:57 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id CC4662798B8; Tue, 17 Feb 2009 15:28:55 +0100 (CET) Received: by astro.zen.inc (Postfix, from userid 1000) id C6AB217051; Tue, 17 Feb 2009 15:34:25 +0100 (CET) Date: Tue, 17 Feb 2009 15:34:25 +0100 From: VANHULLEBUS Yvan To: Riaan Kruger Message-ID: <20090217143425.GA58591@zeninc.net> References: <85c4b1850902170448p7a59d50bt6bdaa89aa01c51d7@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <85c4b1850902170448p7a59d50bt6bdaa89aa01c51d7@mail.gmail.com> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org Subject: Re: NATT patch and FreeBSD's setkey X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 14:28:57 -0000 On Tue, Feb 17, 2009 at 02:48:06PM +0200, Riaan Kruger wrote: > I see a lot of good work done on the nat-t patches for FreeBSD and ipsec-tools. That's what we're trying to do, even if we know that there is still some work to do ! > I was wondering if the base setkey is due for an update? > If so is anyone looking to update it? Upgrading FreeBSD's setkey is not a new question.... Basically, there are various scenarios: - keep it (almost) without changes, it is enouth for basic (static) IPsec, and people who want to do dynamic keying, NAT-T, etc... will install ipsec-tools, so will have /usr/local/sbin/setkey. - same as upper, but do "something" to solve the problem when both /sbin/setkey and /usr/local/sbin/setkey (same for libipsec) are installed. - just remove setkey/libipsec from base system. People who want "real IPsec" will need ipsec-tools or something else, but we can't ensure no one will just need setkey/libipsec... - sync FreeBSD's setkey/libipsec from ipsec-tools. That won't solve all issues (/sbin Vs /usr/local/sbin), and this will need regular syncs with ipsec-tools. - Same as upper, but remove sources from /usr/src, consider ipsec-tools as a contrib (in /usr/src/contrib) and do "something" to automagically update sources when needed (as in /usr/ports). All those solutions solve some parts of the problems (except the first one, of course), but keeps/generates some others.... If someone has a magic solution without drawbacks, please tell us ! > Has anyone had any success using the patched FreeBSD along with racoon2. I just don't know what's the actual status of racoon2, but nat-t patchset is public and everyone can send changes if that helps interaction with other daemons (without breaking again the API if possible.....). Yvan.