Re: IPsec and IKEv2

To: Sad Clouds <cryintothebluesky%gmail.com@localhost>
Subject: Re: IPsec and IKEv2
From: Andrew Cagney <andrew.cagney%gmail.com@localhost>
Date: Tue, 9 Dec 2025 17:05:45 -0500

On Tue, 9 Dec 2025 at 10:26, Sad Clouds <cryintothebluesky%gmail.com@localhost> wrote:
>
> I'm experimenting with IPsec on NetBSD. The base system comes with
> racoon(8) daemon but ChatGPT tells me it's probably buggy and
> unmaintained and only supports IKEv1.
>
> There is pkgsrc security/racoon2 but the package github page states:

Libreswan 5.3 is in pkgsrc/wip/libreswan-5
If you drill down into https://testing.libreswan.org/ you'll find
tests being run on NetBSD VMs, including configurations.

> "Racoon2 is also based on very old code and it is still very buggy.
> Although Racoon2 can be configured to establish working IPsec
> connections using both IKEv1 and IKEv2, in its current form, most users
> who do not have experience configuring IPsec connections will not be
> able to get a connection working without significant effort."
>
> I cannot find OpenBSD iked(8) for NetBSD, so I assume it was never
> ported?
>
> Since NetBSD NFS implementation does not support Kerberos, I want to
> try running NFS over IPsec. However I would like to avoid spending a
> lot of time debugging IKE software issues.
>
> Would it be better to disregard racoon and racoon2 and only use manual
> keys? Can anyone recommend any other alternatives or share their
> experience?

References:
- IPsec and IKEv2
  - From: Sad Clouds

Prev by Date: Re: IPsec and IKEv2
Previous by Thread: Re: IPsec and IKEv2
Indexes:

Home | Main Index | Thread Index | Old Index