Re: racoon, IKEv1 and multiple ipsec clients behind NAT

To: Andrew Cagney <andrew.cagney%gmail.com@localhost>, "Mathew, Cherry G." <c%bow.st@localhost>
Subject: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
From: Chuck Zmudzinski <frchuckz%gmail.com@localhost>
Date: Sat, 22 Oct 2022 18:35:51 -0400

On 10/22/2022 4:58 PM, Andrew Cagney wrote:
> On Thu, 20 Oct 2022 at 12:19, Mathew, Cherry G. <c%bow.st@localhost> wrote:
> > >Each client will (probably) generate unique client->server and
> > >server->client SPIs (identifiers). The server knows these values so
> > >should be able to DTRT. On the other hand the NAT is clueless as to
> > >who has which inbound SPI so likely just forwards the the packets to
> > >the most recent ESP sender.
> > >
> >
> > This is my best guess too, but unfortunately I have no way to test because the clients are phones.
> >
> > Would this behavior be theoretically be identical regardless of client type ? (ie; if i added a third client running NetBSD+ raccoon as client)
>
> Yes, it's IP all the way down.  Getting a NetBSD client involved would
> definitely make life easier
>
> > >(of course I could be completely wrong, I refuse to read IKEv1 specs)
> >
> > What is the the latest hot stuff ? Wireguard ? I dont see wireguard VPN client options for phones though....
>
> I asked around, apparently the buzzwords to look for are IKEv2 and EAP-MSCHAPv2.
>
> Andrew

I worked with Christos a couple of years ago on exploring porting an IKEv2 client to NetBSD. We thought OpenBSD's iked was the best option because it is actively developed by OpenBSD but unfortunately OpenBSD dropped their work of providing their iked for other platforms, and also racoon2 which has IKEv2 was investigated, but racoon2 is not actively developed anywhere. We had some success with porting OpenBSD's iked to NetBSD but not enough resources to complete the job which would also require either replacing racoon for IKEv1 with OpenBSD's IKEv1 client or otherwise developing a solution to support both IKEv1 and IKEv2, so the effort stalled. Unfortunately I do not have time to continue the effort.

My tests of both openiked and racoon2 on NetBSD at the time did successfully work to provide a working IKEv2 VPN server on NetBSD current of that time for iphones, Windows clients, etc., but it was far from ready for production use. Also, in my tests both the server and the client could be behind and IPv4 NAT, but it did not support multiple clients behind the same NAT. IKEv2 uses IPSec tunnel mode instead of IPSec transport mode of l2tp packets and PPP to provide an IP tunnel, and it is able to tunnel both IPv4 and IPv6 over the VPN connection, and OpenBSD's iked also provides support for MOBIKE on the server side for more robust connections from clients that also have MOBIKE, such as Windows and iOS VPN clients.

There are a couple of public github repos for openiked and racoon2 on NetBSD that document the work that was done a few of years ago if anyone is interested in picking up that project and continuing it:

https://github.com/zmudc/openiked
https://github.com/zoulasc/racoon2

Cheers,

Chuck

References:
- racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.*
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Manuel Bouyer
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Andrew Cagney
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Andrew Cagney

Prev by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Next by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Previous by Thread: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Next by Thread: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Indexes:

Home | Main Index | Thread Index | Old Index