[strongSwan] 5.0.1rc1 and FreeBSD

David Shane Holden dpejesh at yahoo.com
Fri Sep 28 11:48:47 CEST 2012


On 09/27/2012 06:51 AM, Tobias Brunner wrote:
> Hi David,
>
>> The first was some simple compile errors which I think I fixed in the
>> attached patch.
>
> Thanks, applied to master.
>
>> On startup I get the following messages:
>>
>> 00[DMN] Starting IKE charon daemon (strongSwan 5.0.1rc1, FreeBSD
>> 9.0-RELEASE-p4, amd64)
>> 00[KNL] unable to set UDP_ENCAP: Invalid argument
>> 00[NET] enabling UDP decapsulation failed
>
> This happens when the NAT-T IPv6 socket is opened and the daemon tries
> to enable UDP en-/decapsulation for that port.  Linux supports this for
> IPv6, FreeBSD apparently not.  The patch at [1] improves the error
> message if this fails.  As long as it works for IPv4 (requires the
> kernel to be built with the IPSEC_NAT_T option) this should be fine.
>
>> 03[NET] received packet: from 192.168.1.201[500] to 192.168.1.1[500]
>> 03[KNL] 192.168.1.1 is not a local address or the interface is down
>> 03[NET] received packet from 192.168.1.201[500] to 192.168.1.1[500] on
>> ignored interface
>
> This is caused by a new check for inbound packets which together with
> the new options charon.interfaces_ignore and charon.interfaces_use allow
> one to ignore specific interfaces.  Unfortunately, the map used for this
> check in kernel-pfroute was not properly initialized, see [2] for a
> patch.  Actually, the patch at [3] avoids the check altogether if the
> above options are not used.
>
> Regards,
> Tobias
>
> [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=45178362
> [2] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=9845391a
> [3] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=2e2feffb
>

Hey Tobias,

Thanks for the information about what I was seeing, and the fixes.  I 
was able to test them on my FreeBSD machine and it appears to be working 
now.

-- Dave





More information about the Users mailing list