Date: Thu, 13 May 2004 13:25:52 +0100 From: Bruce M Simpson <bms@spc.org> To: freebsd-current@FreeBSD.org Subject: IPSEC ESP NULL no longer works in -CURRENT Message-ID: <20040513122552.GD1678@empiric.dek.spc.org>
next in thread | raw e-mail | index | archive | help
Hi, I've tried both FAST_IPSEC and KAME IPSEC from my last 'working' snapshot of -CURRENT which is dated April 20th, and neither seem to allow the use of the NULL encryption algorithm (RFC2410). I use this quite regularly to implement tunnels where confidentiality isn't required, but the ability to traverse ISP filters (which permit ESP traffic, but not GRE or IPIP for example) is required. =46rom what I can gather with setkey -x, all requests to set up an SA with SADB_EALG_NULL return an errno of 22 (Invalid argument) for both implementations: key_add: invalid message is passed. I haven't drilled down as far as single-stepping through the code; difficult to do on this system as it's the core router for our local network, an upda= te to a recent 5-CURRENT was needed as we plan to run pf's NAT with a simple ADSL-PPPoA-Ethernet bridge device as our main Internet link here. Before I go tearing into netipsec and netkey, does anybody have any ideas how this functionality might have regressed? Regards, BMS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040513122552.GD1678>