Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 05 Nov 1998 17:33:28 +0900
From:      Jun-ichiro itojun Itoh <itojun@iijlab.net>
To:        "Jordan K. Hubbard" <jkh@time.cdrom.com>
Cc:        Andreas Klemm <andreas@klemm.gtn.com>, Mike Tancsa <mike@sentex.net>, Juergen Nickelsen <ni@tellique.de>, freebsd-net@FreeBSD.ORG, jkh@FreeBSD.ORG, joerg@FreeBSD.ORG
Subject:   Re: ipsec (VPN) for -current ? (Re: VPN through encrypted IP tunnel for FreeBSD? ) 
Message-ID:  <21751.910254808@coconut.itojun.org>
In-Reply-To: jkh's message of Thu, 05 Nov 1998 00:15:46 PST. <18269.910253746@time.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

>> 	mmm, if it gets committed, what happens to IPsec part of KAME stack?
>I was going to ask you that, actually.  Do you guys have it decoupled,
>or is it tightly integrated, or...?  Also, is IPsec in KAME finished
>at this time or is it a longer-term project?  I guess we could tell
>Stephanie to find something else to do, but she's using the code
>actively at her ISP now and is apparently fairly keen on the
>technology getting into FreeBSD for the next release.

	KAME IPsec is stably working and tested with other implementations in
	various test events.  It comes with home-brew IKE daemon "racoon".
	(note: automatic keying with IKE daemon needs some time to get stable,
	especially key renewing when key gets expired)
	You can configure "options IPSEC" and "options INET6" independently,
	so IPsec part and IPv6 part is decoupled to some degree (IPsec support
	code is plugged into ip_output.c, socket manipulation, and other
	places).
	Therefore, you can test IPsec alone by configuring kernel properly.

	The key differences are:
	- OpenBSD IPsec uses PF_ENCAP kernel interface, which has no standard
	  as far as I know.  KAME IPsec uses PF_KEY v2 defined in RFC2367.
	- OpenBSD IPsec does not support IPv6.  KAME IPsec supports IPv6.
	  Therefore, if OpenBSD IPsec and KAME IPv6 get imported, somebody
	  has to modify OpenBSD IPsec to support IPv6.
	- OpenBSD uses PlutoPlus, and KAME uses racoon for IKE daemon.

itojun

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?21751.910254808>