Chris Buechler wrote:
I presume you're talking about a stock FreeBSD install?
I'm talking about the FreeBSD sources that were used to compile the
kernel that pfsense uses.
I don't believe the NAT-T patches are in the pfsense kernel, something
about a security issue with them was reported by one of our developers
and the patch was pulled. I'm not familiar with any details.
Thats interesting. Has anyone notified Yvan about the potential security
problem? I'm sure he would be interested in looking into it.
If the issue is the lack of NAT-T, that would be expected I believe.
(Scott or somebody jump in and correct me here if I'm off base)
The racoon binary was obviously compiled with NATT support on a system
that had the kernel patch applied. Otherwise it wouldn't be attempting
to set the UDP_ENCAP_ESPINUDP_NON_IKE socket option doesn't exist in
udp.h until the patch is applied ...
Index: netinet/udp.h
===================================================================
RCS file: /home/ncvs/src/sys/netinet/udp.h,v
retrieving revision 1.9
diff -b -u -p -r1.9 udp.h
--- netinet/udp.h 7 Jan 2005 01:45:45 -0000 1.9
+++ netinet/udp.h 19 Sep 2006 12:44:49 -0000
@@ -44,4 +44,17 @@ struct udphdr {
u_short uh_sum; /* udp checksum */
};
+/* socket options for UDP */
+#define UDP_ENCAP 100
+
+/* Encapsulation types */
+#define UDP_ENCAP_ESPINUDP_NON_IKE 1 /*
draft-ietf-ipsec-nat-t-ike-00/01 */
+#define UDP_ENCAP_ESPINUDP 2 /* draft-ietf-ipsec-udp-encaps-02+ */
+
+/* Default encapsulation port */
+#define UDP_ENCAP_ESPINUDP_PORT 500
+
+/* Maximum UDP fragment size for ESP over UDP */
+#define UDP_ENCAP_ESPINUDP_MAXFRAGLEN 552
+
#endif
-Matthew
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
