Bug#644353: Kernel 8.2-1 is not enable with IPSEC
onsdag den 5 oktober 2011 klockan 08:04 skrev Petr Salinger detta:
> In this particular case, which option and devices have to be added.
> The  enlist:
>> option IPSEC
>> option IPSEC_NAT_T
>> device crypto
>> device enc
All of these are needed for the desired IPSec functionality.
> Have to be the devices built-in or can they be built as a modules ?
> I would prefer to use modules, iff posible.
> What have you used in your custom kernel 8.1 ?
I made them built-in for my custom kernel, so I can make no
accurate prediction as to the possibility of building them
The option IPSEC activates "pfkey" in the kernel, so is
mandatory for IPSec to work at all. IPSEC_NAT_T activates
additional abilities to follow addressing and is needed
to overcome IPv4 address rewriting external to the host.
It should be activated however.
Of these "enc" gives rise to a network device "enc0" where
decrypted traffic shows up, a device which is accessible for
filtering, so this feature is conceivable as a module.
It is not available as a module in present kfreebsd-image-8.2-1-amd64
presumably because the option IPSEC was not active.
"crypto" does the obvious thing in the kernel, "cryptodev"
is the corresponding part for user land. Both are built as
modules in the present kfreebsd-image-8.2-1-amd64. Only "crypto"
is needed for functional IPSec, since "pfkey" does the tracing
and routing, whereas "crypto" must do encryption, decryption,
and authentication work for IPSec to make any sense at all.