From owner-freebsd-net@FreeBSD.ORG Tue Aug 2 17:29:27 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0039116A41F for ; Tue, 2 Aug 2005 17:29:26 +0000 (GMT) (envelope-from MGrooms@seton.org) Received: from mx2-out.seton.org (mx2-out.seton.org [65.118.63.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id 626AC43D48 for ; Tue, 2 Aug 2005 17:29:26 +0000 (GMT) (envelope-from MGrooms@seton.org) Received: from localhost (unknown [127.0.0.1]) by mx2-out.seton.org (Postfix) with ESMTP id 949D11227; Tue, 2 Aug 2005 12:29:25 -0500 (CDT) Received: from mx2-out.seton.org ([10.21.254.241]) by localhost (mx2 [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 29385-12; Tue, 2 Aug 2005 12:29:25 -0500 (CDT) Received: from ausexfe02.seton.org (unknown [10.20.10.186]) by mx2-out.seton.org (Postfix) with ESMTP id 8564B78A; Tue, 2 Aug 2005 12:29:25 -0500 (CDT) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Tue, 2 Aug 2005 12:29:25 -0500 Message-ID: <42EFAEBE.8060905@seton.org> Date: Tue, 02 Aug 2005 12:34:54 -0500 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0.5 (Windows/20050711) X-Accept-Language: en-us, en MIME-Version: 1.0 To: vanhu_bsd@zeninc.net Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 02 Aug 2005 17:29:25.0472 (UTC) FILETIME=[BA77CE00:01C59787] X-Virus-Scanned: by amavisd-new at seton.org Cc: freebsd-net@freebsd.org Subject: RE: NAT-T support for IPSec stack X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2005 17:29:27 -0000 Woohoo!!! Thanks!!! I was just checking poking around for this last week and wondering when someone was going to bring this support to FreeBSD. >For some months now, ipsec-tools is now the "official" version of >racoon, the KAME's isakmp daemon. I hope it shows up in ports soon. The racoon port maintainer mentioned that the most recent import would be the last and the KAME racoon developer has stated he won't be maintaining the code anymore. A lot of fixes have shown up in ipsec-tools after the fork from the KAME project as well as hybrid user authentication support via pam. OpenBSDs isakmpd supports NAT-T as well. FreeBSD seems to be the straggler here. If memory serves me right, KAME IPSEC is still not SMP safe at the moment. It seems like FAST_IPSEC had a caveat as well like it doesn't work with IPV6 or something like that. Could it be that there is no developer that 'owns' these subsystems? Perhaps rrwatson has this on his list of things to attack with his ninja net hacking skills. >Are you interested in it? Yes ( as a user ) but I am not a FreeBSD developer. I think there was initially resistance from open source groups to integrate this support due to patent issues ( maybe just WRT usage w/ IKEv1 ) but must have been resolved as both OpenBSD and Linux support this functionality now. It would be very cool to get NAT-T + ipsec tools support as it opens the door for FreeBSD to compete with the big boys in the client based VPN market at some point down the road and offers an IPSEC alternative to OpenVPN. >Of course, it would also be interesting to have an ipsec-tools port, >I'll contact the ports list for such an integration. Fantastic! The website states that it compiles cleanly and works well on FreeBSD so it should be a piece of cake. I am in the process of moving but once settled and upgrade to 6 I will definitely test out your patches and would be willing to test out any ipsec-tools port as well. Thanks again for your work on this. -Matthew