onsdag den 5 oktober 2011 klockan 08:04 skrev Petr Salinger detta: > > In this particular case, which option and devices have to be added. > The [1] enlist: > >> option IPSEC >> option IPSEC_NAT_T >> device crypto >> device enc
All of these are needed for the desired IPSec functionality. > Have to be the devices built-in or can they be built as a modules ? > I would prefer to use modules, iff posible. > > What have you used in your custom kernel 8.1 ? I made them built-in for my custom kernel, so I can make no accurate prediction as to the possibility of building them as modules. The option IPSEC activates "pfkey" in the kernel, so is mandatory for IPSec to work at all. IPSEC_NAT_T activates additional abilities to follow addressing and is needed to overcome IPv4 address rewriting external to the host. It should be activated however. Of these "enc" gives rise to a network device "enc0" where decrypted traffic shows up, a device which is accessible for filtering, so this feature is conceivable as a module. It is not available as a module in present kfreebsd-image-8.2-1-amd64 presumably because the option IPSEC was not active. "crypto" does the obvious thing in the kernel, "cryptodev" is the corresponding part for user land. Both are built as modules in the present kfreebsd-image-8.2-1-amd64. Only "crypto" is needed for functional IPSec, since "pfkey" does the tracing and routing, whereas "crypto" must do encryption, decryption, and authentication work for IPSec to make any sense at all. -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111005081100.gb12...@mea.homelinux.org