MC's journal

Setting Orange, the 67 day of Discord in the YOLD 3179

Openiked, a FreeBSD port and partial NAT-T on FreeBSD and Linux

Slightly updated. Originally posted 2013-05-17 14:58.

When I tried to implement Better-than-nothing Security I chose to work with OpenBSD's new IKEv2 daemon, iked. When Reyk and Mike ported iked to Apple's OS X and created the portabled version, Openiked, it seemed only natural that I would try to port it to FreeBSD and Linux.

To afford to spend time on porting, I applied for funds from .SE's Internet Fund. However, before I even started with the project, someone, probably Mike and/or Reyk, ported Openiked to FreeBSD and Linux! This was in late 2012.

I lost a bit of steam there, but I decided that I could at least make a software package for FreeBSD of Openiked (in the FreeBSD ports system) and try to implement NAT-traversal configuration when iked runs on FreeBSD and Linux.

Openiked is submitted to FreeBSD ports as security/openiked. You can follow its progress here:

http://www.freebsd.org/cgi/query-pr.cgi?pr=177651

Please note: There hasn't been any official releases of Openiked yet, so my port is based on the Git version as it was on 2013-03-12. When any official releases is made, I will update the port.

On my Openiked project web page there's also a patch available to configure the IPsec stack on both FreeBSD and Linux to encapsulate the ESP packets in UDP for traversing a NAT. However, something seems to be missing. The IKEv2 dialogue detects a NAT, the configuration works and outgoing ESP is duly encapsulated in UDP. Traffic comes through to the other end… and is immediately thrown away!

I don't know why this happens. I've been staring at the code and going through kernel code for what seems like ages. I have to admit that I'm stuck. If someone can find out what's wrong I would appreciate it if you contacted me.

I have done a sort of brain dump about the problem and what I've already tried on the project page. Perhaps it will be of some help if someone else (even myself, at a later date), tries to figure out what's wrong. For more, see:

https://hack.org/mc/projects/openiked/

Reyk recently presented Openiked at BSDCan 2013. I wish him luck and I hope that the project will get the interest it deserves.

I will continue to follow the Openiked project, updating the FreeBSD port security/openiked as needed. If there's any new development on the NAT-T front, I will also update my patch, but from now on I won't spend much time on it.

Written by MC using Emacs and friends.