On 10/10/2022 13:47, Karl Denninger wrote:
Update: The kldload is not automatically initiated by the strongswan rc file; this is an obvious omission since GENERIC now includes only a stub and the actual ipsec driver must dynamically loaded.On 10/10/2022 13:40, Tobias Brunner wrote:The top two are although the IPSEC is now dynamically loadable (the enabling option is there in 13.x), the latter one has never been in there and I've been using this with both Windows clients and Android for a looooong time. IPSEC_NAT_T is not in the "LINT" file which theoretically should have all the valid options that actually do something in it.Hi Karl,I am running GENERIC on the gateway as the docs say that's now ok; I used to run a custom kernel for other reasons (mostly PPS which I don't use anymore as I no longer have a local NTP clock) and the only material difference I can see is that the 12.2-STABLE custom kernel has the "enc" driver included in it ("device enc") while GENERIC does not.Not sure if that driver is necessary or only required to do advanced filtering. You should definitely check if the kernel includes the following options (or if you can kldload a module that provides them):options IPSEC device crypto # also needed because the Android app requires UDP encapsulation options IPSEC_NAT_T Regards, TobiasThe "LINT" file DOES have this in it, which implies that it has to be there in the config, and its NOT in GENERIC but was in my custom kernel configuration for 12.x and before:# IPsec interface. device encI'm rebuilding now (its an embedded build so it takes an hour or so on my build box) to see if putting the "enc" option in there fixes it.
I'll put a note in "bugzila" on it since the kernel config now requires you kldload the module or it doesn't work. The enc and IPSEC_NAT_T declarations are not required and neither is in GENERIC.
-- Karl Denninger [email protected] /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
