NAT-T support for IPSec stack

Matthew Grooms mgrooms at seton.org
Tue Aug 2 17:29:27 GMT 2005


Woohoo!!! Thanks!!! I was just checking poking around for this last week 
and wondering when someone was going to bring this support to FreeBSD.

 >For some months now, ipsec-tools is now the "official" version of
 >racoon, the KAME's isakmp daemon.

I hope it shows up in ports soon. The racoon port maintainer mentioned 
that the most recent import would be the last and the KAME racoon 
developer has stated he won't be maintaining the code anymore. A lot of 
fixes have shown up in ipsec-tools after the fork from the KAME project 
as well as hybrid user authentication support via pam. OpenBSDs isakmpd 
supports NAT-T as well. FreeBSD seems to be the straggler here.

If memory serves me right, KAME IPSEC is still not SMP safe at the 
moment. It seems like FAST_IPSEC had a caveat as well like it doesn't 
work with IPV6 or something like that. Could it be that there is no 
developer that 'owns' these subsystems? Perhaps rrwatson has this on his 
list of things to attack with his ninja net hacking skills.

 >Are you interested in it?

Yes ( as a user ) but I am not a FreeBSD developer. I think there was 
initially resistance from open source groups to integrate this support 
due to patent issues ( maybe just WRT usage w/ IKEv1 ) but must have 
been resolved as both OpenBSD and Linux support this functionality now.

It would be very cool to get NAT-T + ipsec tools support as it opens the 
door for FreeBSD to compete with the big boys in the client based VPN 
market at some point down the road and offers an IPSEC alternative to 
OpenVPN.

 >Of course, it would also be interesting to have an ipsec-tools port,
 >I'll contact the ports list for such an integration.

Fantastic! The website states that it compiles cleanly and works well on 
FreeBSD so it should be a piece of cake.

I am in the process of moving but once settled and upgrade to 6 I will 
definitely test out your patches and would be willing to test out any 
ipsec-tools port as well. Thanks again for your work on this.

-Matthew


More information about the freebsd-net mailing list