Re: Finding out at runtime which IPSEC options are built into the kernel (IPSEC_NAT_T?)

To: NetBSD User Maillist <netbsd-users%netbsd.org@localhost>
Subject: Re: Finding out at runtime which IPSEC options are built into the kernel (IPSEC_NAT_T?)
From: Andy Ruhl <acruhl%gmail.com@localhost>
Date: Sun, 6 Jun 2021 05:53:37 -0700

On Sun, Jun 6, 2021 at 2:49 AM Matthias Petermann <mp%petermann-it.de@localhost> wrote:
>
> ...looks like the IPSEC_NAT_T option no longer exists, but is included
> in IPSEC instead.
>
>
> OPTIONS(4):
>
> "
>       options IPSEC
>       Includes support for the IPsec protocol, using the implementation
> derived
>       from OpenBSD, relying on opencrypto(9) to carry out cryptographic
>       operations.  See ipsec(4) for details.
>
>       options IPSEC_DEBUG
>       Enables debugging code in IPsec stack.  See ipsec(4) for details.  The
>       IPSEC option includes support for IPsec Network Address Translator
>       traversal (NAT-T), as described in RFCs 3947 and 3948.  This feature
>       might be patent-encumbered in some countries.
> "
>
>
>
> Am 06.06.21 um 11:28 schrieb Matthias Petermann:
> > Hello,
> >
> > the subject probably already summarises the question - here is just a
> > brief background: I would like to establish an IPSEC connection from a
> > NetBSD box behind a NAT router to a IPSEC-VPN. My understanding is that
>
> > the kernel must have the appropriate IPSEC_NET_T-option for this. Can I
>
> > somehow find this out reliably at runtime?
> >
> > I have a NetBSD 9.2_STABLE with GENERIC kernel on evbarm.
> >
> > Small additional question: Does anyone here happen to have general
> > experience with whether and how a VPN connection to a FritzBox can be
> > established with NetBSD on-board means (racoon)? I have already done a
> > lot of research on this - most of the tutorials and blogs on this are
> > already over 5 years old, and there have already been several firmware
> > updates of the FritzBoxes in the meantime, so it is not easy to narrow
> > down where the error lies.
> >
> > Kind regards
> > Matthias
> >
>

Hopefully this helps someone searching:

The options(4) man page shows this line:

strings netbsd | sed -n 's/^_CFG_//p' | unvis (note that "netbsd" is
the kernel file, usually at /netbsd)

This will work if the kernel has the INCLUDE_CONFIG_FILE option which
I believe is on by default.

It shows all options compiled into the kernel. I've used it many times
to figure out what I did on some kernel.

Andy

Follow-Ups:
- Re: Finding out at runtime which IPSEC options are built into the kernel (IPSEC_NAT_T?)
  - From: Matthias Petermann
- Re: Finding out at runtime which IPSEC options are built into the kernel (IPSEC_NAT_T?)
  - From: Jonathan A. Kollasch

References:
- Finding out at runtime which IPSEC options are built into the kernel (IPSEC_NAT_T?)
  - From: Matthias Petermann
- Re: Finding out at runtime which IPSEC options are built into the kernel (IPSEC_NAT_T?)
  - From: Matthias Petermann

Prev by Date: Re: Finding out at runtime which IPSEC options are built into the kernel (IPSEC_NAT_T?)
Next by Date: Re: Finding out at runtime which IPSEC options are built into the kernel (IPSEC_NAT_T?)
Previous by Thread: Re: Finding out at runtime which IPSEC options are built into the kernel (IPSEC_NAT_T?)
Next by Thread: Re: Finding out at runtime which IPSEC options are built into the kernel (IPSEC_NAT_T?)
Indexes:

Home | Main Index | Thread Index | Old Index