IPsec VPN with smartphones and FreeBSD 8.3 - some patches for netipsec/key.c
Interesting post from freebsd-net mailing list:
Andreas Longwitz longwitz at incore.de
Wed Sep 5 13:10:02 UTC 2012
Support for IPSec VPN's: some patches for netipsec/key.c
Hi, as continuation of
I like to describe what I have done to get smartphones with IPSec VPN's
working with a FreeBSD 8.3 server.
The clients are IPhones with Cisco IPSec (authentication_method
xauth_rsa_server in tunnel mode) and Androids with L2TP over IPSec
(authentication_method rsasig in transport mode). On the server I have
FreeBSD 8.3 with NAT-T support and the ports ipsec-tools-0.8.0_2 and
To filter all packets in transport and tunnel mode on the enc0
interface, I use net.enc.out.ipsec_filter_mask=1 and
net.enc.in.ipsec_filter_mask=3. Further my server has included
the patches given in kern/146190 to ignore checksums and kern/169620 to
avoid packet bypass on ngX.
The following patches are all for netipsec/key.c:
There have been IPsec+L2TP patches around for a long time, the problem is they require allowing anonymous PSKs, which is a bit of a security risk.
I haven't looked at this guy's code yet though, for some reason the list archive isn't loading for me right now.