Date: Thu, 05 Nov 1998 17:33:28 +0900 From: Jun-ichiro itojun Itoh <itojun@iijlab.net> To: "Jordan K. Hubbard" <jkh@time.cdrom.com> Cc: Andreas Klemm <andreas@klemm.gtn.com>, Mike Tancsa <mike@sentex.net>, Juergen Nickelsen <ni@tellique.de>, freebsd-net@FreeBSD.ORG, jkh@FreeBSD.ORG, joerg@FreeBSD.ORG Subject: Re: ipsec (VPN) for -current ? (Re: VPN through encrypted IP tunnel for FreeBSD? ) Message-ID: <21751.910254808@coconut.itojun.org> In-Reply-To: jkh's message of Thu, 05 Nov 1998 00:15:46 PST. <18269.910253746@time.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>> mmm, if it gets committed, what happens to IPsec part of KAME stack? >I was going to ask you that, actually. Do you guys have it decoupled, >or is it tightly integrated, or...? Also, is IPsec in KAME finished >at this time or is it a longer-term project? I guess we could tell >Stephanie to find something else to do, but she's using the code >actively at her ISP now and is apparently fairly keen on the >technology getting into FreeBSD for the next release. KAME IPsec is stably working and tested with other implementations in various test events. It comes with home-brew IKE daemon "racoon". (note: automatic keying with IKE daemon needs some time to get stable, especially key renewing when key gets expired) You can configure "options IPSEC" and "options INET6" independently, so IPsec part and IPv6 part is decoupled to some degree (IPsec support code is plugged into ip_output.c, socket manipulation, and other places). Therefore, you can test IPsec alone by configuring kernel properly. The key differences are: - OpenBSD IPsec uses PF_ENCAP kernel interface, which has no standard as far as I know. KAME IPsec uses PF_KEY v2 defined in RFC2367. - OpenBSD IPsec does not support IPv6. KAME IPsec supports IPv6. Therefore, if OpenBSD IPsec and KAME IPv6 get imported, somebody has to modify OpenBSD IPsec to support IPv6. - OpenBSD uses PlutoPlus, and KAME uses racoon for IKE daemon. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?21751.910254808>