Re: Strongswan on NetBSD and pfkey extensions

[Greg Troxel <gdt%lexort.com@localhost>]

Valtteri Vuorikoski <vuori%notcom.org@localhost> writes:

> I have been testing the Strongswan IKE daemon on NetBSD 9.0, and the
> good news is that it compiles and works (with a few caveats) with a
> couple of #ifdefs to the pfkey module.

That's good to hear. Asssuming that belongs in pkgsrc, it would be great
to get that (and patches) into wip.

> The pfkey module is expecting to find the following PF_KEY extensions which
> apparently are present on FreeBSD:
>
> #define SADB_X_EXT_SA_REPLAY          26    /* Replay window override. */
> #define SADB_X_EXT_NEW_ADDRESS_SRC    27
> #define SADB_X_EXT_NEW_ADDRESS_DST    28
>
> While the daemon works well enough without them, they would be nice to have.
> Is anyone working on porting these over?

I have not heard of anyone doing that.

> Also the warning "unable to query policy dead::beef/128 ===
> beef::dead/128 in: kernel reports no use time" is logged even after
> enabling FreeBSD workaround which always sets SADB_EXT_LIFETIME_HARD to
> LONG_MAX if nothing else is configured. Is SADB_EXT_LIFETIME_CURRENT
> expected to work? Looks like "setkey -DP" doesn't show anything either
> (setkey on Linux shows lifetime stuff).

It's been a long time and I don't remember.  I'm afraid you'll have to
read the code.

> Caveats:
>   * Only IPv6 transport mode with IKEv2 tested so far. I might give v4/v6 tunnel
>     modes a spin later on.
>   * IPv6 source address selection incorrectly uses link-local address
>     as source unless source is manually set in config, but I think this is broken
>     on all pfroute platforms: proper address selection code only exists
>     in the netlink module.

Anything you can fix upstream is even better.