[strongSwan] FreeBSD 13.1-STABLE / StrongSwan 5.9?

Karl Denninger karl at denninger.net
Mon Oct 10 19:53:51 CEST 2022

On 10/10/2022 13:47, Karl Denninger wrote:
> On 10/10/2022 13:40, Tobias Brunner wrote:
>> Hi Karl,
>>> I am running GENERIC on the gateway as the docs say that's now ok; I 
>>> used to run a custom kernel for other reasons (mostly PPS which I 
>>> don't use anymore as I no longer have a local NTP clock) and the 
>>> only material difference I can see is that the 12.2-STABLE custom 
>>> kernel has the "enc" driver included in it ("device    enc") while 
>>> GENERIC does not.
>> Not sure if that driver is necessary or only required to do advanced 
>> filtering.  You should definitely check if the kernel includes the 
>> following options (or if you can kldload a module that provides them):
>> options   IPSEC
>> device    crypto
>> # also needed because the Android app requires UDP encapsulation
>> options   IPSEC_NAT_T
>> Regards,
>> Tobias
> The top two are although the IPSEC is now dynamically loadable (the 
> enabling option is there in 13.x), the latter one has never been in 
> there and I've been using this with both Windows clients and Android 
> for a looooong time.  IPSEC_NAT_T is not in the "LINT" file which 
> theoretically should have all the valid options that actually do 
> something in it.
> The "LINT" file DOES have this in it, which implies that it has to be 
> there in the config, and its NOT in GENERIC but was in my custom 
> kernel configuration for 12.x and before:
> # IPsec interface.
> device          enc
> I'm rebuilding now (its an embedded build so it takes an hour or so on 
> my build box) to see if putting the "enc" option in there fixes it.
Update: The kldload is not automatically initiated by the strongswan rc 
file; this is an obvious omission since GENERIC now includes only a stub 
and the actual ipsec driver must dynamically loaded.

I'll put a note in "bugzila" on it since the kernel config now requires 
you kldload the module or it doesn't work.  The enc and IPSEC_NAT_T 
declarations are not required and neither is in GENERIC.

Karl Denninger
karl at denninger.net
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20221010/7cc1e544/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4864 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20221010/7cc1e544/attachment-0001.bin>

More information about the Users mailing list