[strongSwan] FreeBSD 13.1-STABLE / StrongSwan 5.9?

Karl Denninger karl at denninger.net
Mon Oct 10 19:47:46 CEST 2022

On 10/10/2022 13:40, Tobias Brunner wrote:
> Hi Karl,
>> I am running GENERIC on the gateway as the docs say that's now ok; I 
>> used to run a custom kernel for other reasons (mostly PPS which I 
>> don't use anymore as I no longer have a local NTP clock) and the only 
>> material difference I can see is that the 12.2-STABLE custom kernel 
>> has the "enc" driver included in it ("device    enc") while GENERIC 
>> does not.
> Not sure if that driver is necessary or only required to do advanced 
> filtering.  You should definitely check if the kernel includes the 
> following options (or if you can kldload a module that provides them):
> options   IPSEC
> device    crypto
> # also needed because the Android app requires UDP encapsulation
> options   IPSEC_NAT_T
> Regards,
> Tobias
The top two are although the IPSEC is now dynamically loadable (the 
enabling option is there in 13.x), the latter one has never been in 
there and I've been using this with both Windows clients and Android for 
a looooong time.  IPSEC_NAT_T is not in the "LINT" file which 
theoretically should have all the valid options that actually do 
something in it.

The "LINT" file DOES have this in it, which implies that it has to be 
there in the config, and its NOT in GENERIC but was in my custom kernel 
configuration for 12.x and before:

# IPsec interface.
device          enc

I'm rebuilding now (its an embedded build so it takes an hour or so on 
my build box) to see if putting the "enc" option in there fixes it.

Karl Denninger
karl at denninger.net
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20221010/0453f4b3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4864 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20221010/0453f4b3/attachment.bin>

More information about the Users mailing list