Date: Thu, 5 Dec 2013 11:48:06 -0500 From: "firmdog@gmail.com" <firmdog@gmail.com> To: Fleuriot Damien <ml@my.gd> Cc: freebsd-questions@freebsd.org Subject: Re: do I have to compile a new kernel? or just add options somehow? Message-ID: <CAHcg-UHOeWi9xTMe9x2BBYW%2Bwh6PO_do2SSoioopxmgNbSZg2Q@mail.gmail.com> In-Reply-To: <D8B22251-346B-4507-8705-58CBD3D2026F@my.gd> References: <CAHcg-UF6hdDBrnw%2BjY6ajzdD9NnSzAPnu8pwMqvGfkK3feWgKQ@mail.gmail.com> <1A249B2C-B341-4270-B343-627901FD9562@my.gd> <CAHcg-UF1HfTq_OianFxiD1Xy_EyA6GApuOKPG%2Bb%2B1XF2a1c27g@mail.gmail.com> <D8B22251-346B-4507-8705-58CBD3D2026F@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help
Looks like it "might have" worked for me. First I added a couple of options to the GENERIC config: root@:~ # grep IPSEC /usr/src/sys/i386/conf/GENERIC options IPSEC # IP security (requires device crypto) options IPSEC_NAT_T # NAT-T support, UDP encap of ESP Then rebooted: root@:~ # uname -a FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE #0 r251259: Mon Jun 3 01:14:28 UTC 2013 root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC i386 root@:~ # kldload crypto root@:~ # kldstat Id Refs Address Size Name 1 5 0xc0400000 d5c4ec kernel 2 1 0xc58eb000 23000 crypto.ko 3 1 0xc58da000 a000 zlib.ko The reason I am doing this is because a new Cisco VPN router will not work with my IPF Freebsd firewall. The IPF firewall blocks the UDP ipsec packets on port 4500. So now I need to see if doing the above exercise helps with IPF blocking IPsec traversal across NAT On Thu, Dec 5, 2013 at 10:57 AM, Fleuriot Damien <ml@my.gd> wrote: > Oh but you can load modules at boot time for GENERIC just fine. > > While there is a "crypto" module nested under /usr/src/sys/modules/crypto/ > , I'm not familiar enough with it to say whether it incorporates both the > device and the IPSEC options you're interested in. > > You're better off rebuilding GENERIC, or your own kernel, IMHO. > > > > If you're curious, you can always run : > kldload crypto > > If kldload says the module doesn't exist (I think it should, for GENERIC), > you'll need to build it: > cd /usr/src/sys/modules/crypto/ && make && make install > > > > Here's little me trying to load it under a brand new 8.4 box: > > # kldload /boot/kernel/crypto.ko > kldload: can't load /boot/kernel/crypto.ko: Exec format error > > > If you run into this error like me, "dmesg" will provide you with a clue, > as it does in my case: > KLD crypto.ko: depends on zlib - not available or version mismatch > linker_load_file: Unsupported file type > > > > I really encourage you to rebuild your own kernel, stripped of all the > stuff you don't want/need (ISA NICs, wifi, firewire, floppy controller... ) > > > Warren Block has written pretty cool articles, here: > http://www.wonkity.com/~wblock/docs/html/buildworld.html > http://www.wonkity.com/~wblock/docs/html/kernelconfig.html > > > > > I hope that helps, > > > On Dec 5, 2013, at 4:30 PM, "firmdog@gmail.com" <firmdog@gmail.com> wrote: > > > So the answer is that it's NOT possible to load modules at boot time for > GENERIC? I have to actually build a new kernel? > > Thanks! > > > On Thu, Dec 5, 2013 at 9:42 AM, Fleuriot Damien <ml@my.gd> wrote: > >> >> On Dec 5, 2013, at 3:35 PM, "firmdog@gmail.com" <firmdog@gmail.com> >> wrote: >> >> > I am having difficulty understanding what is compiled into the GENERIC >> > kernel. >> > >> > I need to enable "device crypto" with IPSEC and IPSEC_NAT_T options. >> > >> > Can I just configure the GENERIC kernel in a config file? Or do I have >> to >> > compile a totally new kernel? >> > _______________________________________________ >> > freebsd-questions@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> > To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> >> >> While it's far from being a good practice, you can simply add your: >> device crypto >> options IPSEC >> options IPSEC_NAT_T >> >> to /sys/amd64/conf/GENERIC (assuming you're running a 64bit release that >> is). >> >> >> Then: cd /usr/src && make kernel-toolchain && make buildkernel >> >> Once the kernel is built, you only need to "make installkernel" and >> reboot. >> >> It is good practice, before rebooting, to run "mergemaster -p" , even if >> you've only done a minor upgrade, let good habits sink in ;) >> >> >> >> >> Regarding what is compiled in the GENERIC kernel, you can find the >> included options and devices at: >> /sys/amd64/conf/GENERIC >> or >> /sys/i386/conf/GENERIC >> >> You may also run config -x /boot/kernel/kernel , if your kernel was built >> with INCLUDE_CONFIG_FILE , which GENERIC does. >> >> > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHcg-UHOeWi9xTMe9x2BBYW%2Bwh6PO_do2SSoioopxmgNbSZg2Q>