On Jun 13, 11:23am, frchuckz%gmail.com@localhost (Chuck Zmudzinski) wrote:
-- Subject: Re: Testing racoon
Thanks for all the feedback and testing!
| The problem was fixed by a reboot of the whole system, and then racoon
| started normally again.
There might be still an issue with buffer space in current, but we explicitly
bumped the limits for syslogd and kernel sockets. I am not sure what went
on here and the ipsec related socket buffers got full.
| I think it would be great to get racoon2 working with IKEv2, so that we
| could
| use NetBSD as a server for built in Windows, ios, and android IKEv2 VPN
| clients. From what I have read so far from Windows support pages and some
| sample configurations of Strongswan IKEv2 VPN servers, it appears those
| clients still use L2TP tunnels, but I think also it is IPsec tunnel
| mode, not
| transport mode as in the case of L2TP/IPsec clients that use IKEv1.
| According to
| RFC 3948, fixing NAT-T in IPsec tunnel mode does not require the
| checksum fix
| but instead requires careful verification of the IP addresses of the
| tunnelled
| traffic.
|
| I plan on experimenting with the pkgsrc racoon2 with NetBSD current. We
| might need to verify the kernel can implement RFC 3948 for tunnel mode.
| I think it is working now for transport mode, but not yet optimal because of
| the way we are fixing the tcp/udp checksums.
|
Yes, I'd like that very much too. I got it to compile as I mentioned, but
did not have time to work on it more. Perhaps we should just move it to
a github repository or something and work on it together.
christos