Strongswan on NetBSD and pfkey extensions

[Valtteri Vuorikoski <vuori%notcom.org@localhost>]

I have been testing the Strongswan IKE daemon on NetBSD 9.0, and the
good news is that it compiles and works (with a few caveats) with a
couple of #ifdefs to the pfkey module.

The pfkey module is expecting to find the following PF_KEY extensions which
apparently are present on FreeBSD:

#define SADB_X_EXT_SA_REPLAY          26    /* Replay window override. */
#define SADB_X_EXT_NEW_ADDRESS_SRC    27
#define SADB_X_EXT_NEW_ADDRESS_DST    28

While the daemon works well enough without them, they would be nice to have.
Is anyone working on porting these over?

Also the warning "unable to query policy dead::beef/128 ===
beef::dead/128 in: kernel reports no use time" is logged even after
enabling FreeBSD workaround which always sets SADB_EXT_LIFETIME_HARD to
LONG_MAX if nothing else is configured. Is SADB_EXT_LIFETIME_CURRENT
expected to work? Looks like "setkey -DP" doesn't show anything either
(setkey on Linux shows lifetime stuff).

Caveats:
  * Only IPv6 transport mode with IKEv2 tested so far. I might give v4/v6 tunnel
    modes a spin later on.
  * IPv6 source address selection incorrectly uses link-local address
    as source unless source is manually set in config, but I think this is broken
    on all pfroute platforms: proper address selection code only exists
    in the netlink module.

  -vuori