Hi, I've tried both FAST_IPSEC and KAME IPSEC from my last 'working' snapshot of -CURRENT which is dated April 20th, and neither seem to allow the use of the NULL encryption algorithm (RFC2410). I use this quite regularly to implement tunnels where confidentiality isn't required, but the ability to traverse ISP filters (which permit ESP traffic, but not GRE or IPIP for example) is required. From what I can gather with setkey -x, all requests to set up an SA with SADB_EALG_NULL return an errno of 22 (Invalid argument) for both implementations: key_add: invalid message is passed. I haven't drilled down as far as single-stepping through the code; difficult to do on this system as it's the core router for our local network, an update to a recent 5-CURRENT was needed as we plan to run pf's NAT with a simple ADSL-PPPoA-Ethernet bridge device as our main Internet link here. Before I go tearing into netipsec and netkey, does anybody have any ideas how this functionality might have regressed? Regards, BMSReceived on Thu May 13 2004 - 03:25:56 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:53 UTC