[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Future direction of IPsec in OpenBSD.



On Mon, Aug 13, 2001 at 02:42:52AM +1000, Darren Reed wrote:
> Is there any stated direction for IPSec within OpenBSD?  Is it likely to
> adopt KAME completely or will it continue to be its own project?  From
> my experiments over the weekend, the shipped version of IPSec in both
> NetBSD 1.5 and OpenBSD 2.9 barely works when it comes to IKE and isakmpd
> is a monster.  To give a brief of what I was able to achieve:
> 
> * manual keying between NetBSD/OpenBSD/Solaris8 works without a problem;
>
Thanks for reporting this to the archives.

> * using isakmpd, a Windows2000sp2 box can initiate an IPSec session with
>   either NetBSD or OpenBSD but neither can initiate a session with Win2k.
>   Only "problem" is the IKE session drops out and is not kept alive.
> 
> * restarting isakmpd requires that any current sessions in win2k be
>   flushed with a restart of the ipsec policy service and vice versa;
> 
It's a well-known non-standard-conforming phenomenon commonly observed
in windoze. Fortunately w98 did not have any proprietary ipsec code.

Heads-up: read the "developed by MS & Cisco..." notice. And you would
understand why even though you dont have w2k source to trace.  With
your talent in ipfilter implementation, would not be difficult.

> * using racoon on NetBSD 1.5 (with a relatively current KAME snapshot),
>   NetBSD can successfully initiate or receive an IPSec session from win2k
>   (which doesn't time out);
> 
OK, please report success story to NetBSD.

> * isakmpd on OpenBSD 2.9 and racoon on NetBSD 1.5 do not seem to work
>   very well at all.  I'm not sure if it is a configuration problem on
>   my behalf or they just hate each other.
>
I am pretty satisfied by the fact that OBSD isakmpd can work very well
with OBSD isakmpd and PGP clean-source clients.

> I guess the key here is isakmpd.  Is it actively being maintained in
> OpenBSD or is starting to suffer from bitrot with the eventual goal
> for it to be replaced by racoon?  If there are plans for the integration
> of KAME into OpenBSD I'll saunter off and try the latest KAME snapshot
> for OpenBSD 2.9.  If anyone here is taking votes, I put my hand up for
> racoon - isakmpd is a bitch to configure by comparison!
> 
OpenBSD already had ipv6 and altq from Kame. 
We already have home-made ipsec implementation.
If there is any issue associated with the code, our developers will
definately fix them according to standards, rather than replacing
the code.

> If anyone else has any war stories about getting IPSec to work between
> the above three systems, I'd like to hear from you.
> 
If you have any concrete bug-criticism, OpenBSD IPsec implementators
will definately interact with you.  Or, unlike me just a user, you can
even participate in refining the code and implementation. I dont
think Theo et al would be unfriendly to you for any past issue. Why
not start from what you are good at, i.e., packet filter, which is
still in its infancy and needs people like you?