Openiked, a FreeBSD port and partial NAT-T on FreeBSD and Linux
Slightly updated. Originally posted 2013-05-17 14:58.
When I tried to implement
Better-than-nothing Security I
chose to work with OpenBSD's new IKEv2 daemon,
iked. When Reyk and
iked to Apple's OS X and created the portabled version,
Openiked, it seemed only natural that I would
try to port it to FreeBSD and Linux.
To afford to spend time on porting, I applied for funds from .SE's Internet Fund. However, before I even started with the project, someone, probably Mike and/or Reyk, ported Openiked to FreeBSD and Linux! This was in late
I lost a bit of steam there, but I decided that I could at least make a
software package for FreeBSD of Openiked (in the FreeBSD ports system)
and try to implement NAT-traversal configuration when
iked runs on
FreeBSD and Linux.
Openiked is submitted to FreeBSD ports as
security/openiked. You can
follow its progress here:
Please note: There hasn't been any official releases of Openiked yet, so my port is based on the Git version as it was on 2013-03-12. When any official releases is made, I will update the port.
On my Openiked project web page there's also a patch available to configure the IPsec stack on both FreeBSD and Linux to encapsulate the ESP packets in UDP for traversing a NAT. However, something seems to be missing. The IKEv2 dialogue detects a NAT, the configuration works and outgoing ESP is duly encapsulated in UDP. Traffic comes through to the other end… and is immediately thrown away!
I don't know why this happens. I've been staring at the code and going through kernel code for what seems like ages. I have to admit that I'm stuck. If someone can find out what's wrong I would appreciate it if you contacted me.
I have done a sort of brain dump about the problem and what I've already tried on the project page. Perhaps it will be of some help if someone else (even myself, at a later date), tries to figure out what's wrong. For more, see:
Reyk recently presented Openiked at BSDCan 2013. I wish him luck and I hope that the project will get the interest it deserves.
I will continue to follow the Openiked project, updating the FreeBSD
security/openiked as needed. If there's any new development on
the NAT-T front, I will also update my patch, but from now on I won't
spend much time on it.