IPsec VPN with smartphones and FreeBSD 8.3 - some patches for netipsec/key.c

  • Interesting post from freebsd-net mailing list:


    Andreas Longwitz longwitz at incore.de
    Wed Sep 5 13:10:02 UTC 2012
    Support for IPSec VPN's: some patches for netipsec/key.c

    Hi, as continuation of
    I like to describe what I have done to get smartphones with IPSec VPN's
    working with a FreeBSD 8.3 server.

    The clients are IPhones with Cisco IPSec (authentication_method
    xauth_rsa_server in tunnel mode) and Androids with L2TP over IPSec
    (authentication_method rsasig in transport mode). On the server I have
    FreeBSD 8.3 with NAT-T support and the ports ipsec-tools-0.8.0_2 and

    To filter all packets in transport and tunnel mode on the enc0
    interface, I use net.enc.out.ipsec_filter_mask=1 and
    net.enc.in.ipsec_filter_mask=3. Further my server has included
    the patches given in kern/146190 to ignore checksums and kern/169620 to
    avoid packet bypass on ngX.

    The following patches are all for netipsec/key.c:


  • Rebel Alliance Developer Netgate

    There have been IPsec+L2TP patches around for a long time, the problem is they require allowing anonymous PSKs, which is a bit of a security risk.

    I haven't looked at this guy's code yet though, for some reason the list archive isn't loading for me right now.

Log in to reply