IPsec VPN with smartphones and FreeBSD 8.3 - some patches for netipsec/key.c

dhatz

Interesting post from freebsd-net mailing list:

http://lists.freebsd.org/pipermail/freebsd-net/2012-September/033170.html

Andreas Longwitz longwitz at incore.de
Wed Sep 5 13:10:02 UTC 2012
Support for IPSec VPN's: some patches for netipsec/key.c

Hi, as continuation of
http://lists.freebsd.org/pipermail/freebsd-stable/2012-April/067307.html
I like to describe what I have done to get smartphones with IPSec VPN's
working with a FreeBSD 8.3 server.

The clients are IPhones with Cisco IPSec (authentication_method
xauth_rsa_server in tunnel mode) and Androids with L2TP over IPSec
(authentication_method rsasig in transport mode). On the server I have
FreeBSD 8.3 with NAT-T support and the ports ipsec-tools-0.8.0_2 and
mpd-5.5.

To filter all packets in transport and tunnel mode on the enc0
interface, I use net.enc.out.ipsec_filter_mask=1 and
net.enc.in.ipsec_filter_mask=3. Further my server has included
the patches given in kern/146190 to ignore checksums and kern/169620 to
avoid packet bypass on ngX.

The following patches are all for netipsec/key.c:

[…]

jimp

There have been IPsec+L2TP patches around for a long time, the problem is they require allowing anonymous PSKs, which is a bit of a security risk.

I haven't looked at this guy's code yet though, for some reason the list archive isn't loading for me right now.