Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 5 Dec 2013 11:48:06 -0500
From:      "firmdog@gmail.com" <firmdog@gmail.com>
To:        Fleuriot Damien <ml@my.gd>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: do I have to compile a new kernel? or just add options somehow?
Message-ID:  <CAHcg-UHOeWi9xTMe9x2BBYW+wh6PO_do2SSoioopxmgNbSZg2Q@mail.gmail.com>
In-Reply-To: <D8B22251-346B-4507-8705-58CBD3D2026F@my.gd>
References:  <CAHcg-UF6hdDBrnw+jY6ajzdD9NnSzAPnu8pwMqvGfkK3feWgKQ@mail.gmail.com> <1A249B2C-B341-4270-B343-627901FD9562@my.gd> <CAHcg-UF1HfTq_OianFxiD1Xy_EyA6GApuOKPG+b+1XF2a1c27g@mail.gmail.com> <D8B22251-346B-4507-8705-58CBD3D2026F@my.gd>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Looks like it "might have" worked for me. First I added a couple of options
to the GENERIC config:

root@:~ # grep IPSEC /usr/src/sys/i386/conf/GENERIC
options         IPSEC           # IP security (requires device crypto)
options         IPSEC_NAT_T     # NAT-T support, UDP encap of ESP

Then rebooted:

root@:~ # uname -a
FreeBSD  8.4-RELEASE FreeBSD 8.4-RELEASE #0 r251259: Mon Jun  3 01:14:28
UTC 2013     root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC  i386

root@:~ # kldload crypto
root@:~ # kldstat
Id Refs Address    Size     Name
 1    5 0xc0400000 d5c4ec   kernel
 2    1 0xc58eb000 23000    crypto.ko
 3    1 0xc58da000 a000     zlib.ko


The reason I am doing this is because a new Cisco VPN router will not work
with my IPF Freebsd firewall. The IPF firewall blocks the UDP ipsec packets
on port 4500. So now I need to see if doing the above exercise helps with
IPF blocking IPsec traversal across NAT




On Thu, Dec 5, 2013 at 10:57 AM, Fleuriot Damien <ml@my.gd> wrote:

> Oh but you can load modules at boot time for GENERIC just fine.
>
> While there is a "crypto" module nested under /usr/src/sys/modules/crypto/
> , I'm not familiar enough with it to say whether it incorporates both the
> device and the IPSEC options you're interested in.
>
> You're better off rebuilding GENERIC, or your own kernel, IMHO.
>
>
>
> If you're curious, you can always run :
> kldload crypto
>
> If kldload says the module doesn't exist (I think it should, for GENERIC),
> you'll need to build it:
> cd /usr/src/sys/modules/crypto/ && make && make install
>
>
>
> Here's little me trying to load it under a brand new 8.4 box:
>
> # kldload /boot/kernel/crypto.ko
> kldload: can't load /boot/kernel/crypto.ko: Exec format error
>
>
> If you run into this error like me, "dmesg" will provide you with a clue,
> as it does in my case:
> KLD crypto.ko: depends on zlib - not available or version mismatch
> linker_load_file: Unsupported file type
>
>
>
> I really encourage you to rebuild your own kernel, stripped of all the
> stuff you don't want/need (ISA NICs, wifi, firewire, floppy controller... )
>
>
> Warren Block has written pretty cool articles, here:
> http://www.wonkity.com/~wblock/docs/html/buildworld.html
> http://www.wonkity.com/~wblock/docs/html/kernelconfig.html
>
>
>
>
> I hope that helps,
>
>
> On Dec 5, 2013, at 4:30 PM, "firmdog@gmail.com" <firmdog@gmail.com> wrote:
>
>
> So the answer is that it's NOT possible to load modules at boot time for
> GENERIC? I have to actually build a new kernel?
>
> Thanks!
>
>
> On Thu, Dec 5, 2013 at 9:42 AM, Fleuriot Damien <ml@my.gd> wrote:
>
>>
>> On Dec 5, 2013, at 3:35 PM, "firmdog@gmail.com" <firmdog@gmail.com>
>> wrote:
>>
>> > I am having difficulty understanding what is compiled into the GENERIC
>> > kernel.
>> >
>> > I need to enable "device crypto" with IPSEC and IPSEC_NAT_T options.
>> >
>> > Can I just configure the GENERIC kernel in a config file? Or do I have
>> to
>> > compile a totally new kernel?
>> > _______________________________________________
>> > freebsd-questions@freebsd.org mailing list
>> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> > To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe@freebsd.org"
>>
>>
>> While it's far from being a good practice, you can simply add your:
>> device crypto
>> options IPSEC
>> options IPSEC_NAT_T
>>
>> to /sys/amd64/conf/GENERIC (assuming you're running a 64bit release that
>> is).
>>
>>
>> Then: cd /usr/src && make kernel-toolchain && make buildkernel
>>
>> Once the kernel is built, you only need to "make installkernel" and
>> reboot.
>>
>> It is good practice, before rebooting, to run "mergemaster -p" , even if
>> you've only done a minor upgrade, let good habits sink in ;)
>>
>>
>>
>>
>> Regarding what is compiled in the GENERIC kernel, you can find the
>> included options and devices at:
>> /sys/amd64/conf/GENERIC
>> or
>> /sys/i386/conf/GENERIC
>>
>> You may also run config -x /boot/kernel/kernel , if your kernel was built
>> with INCLUDE_CONFIG_FILE , which GENERIC does.
>>
>>
>
>



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAHcg-UHOeWi9xTMe9x2BBYW+wh6PO_do2SSoioopxmgNbSZg2Q>