IKEv2, what would it take to get this?



  • There's another thread on this topic that is unfortunately locked. I'm not sure why, but I can't imagine that there isn't any general interest in getting IKEv2 ipsec to pfSense, so I'm opening a new thread to discuss a couple points. Also, I don't want to start another discussion on whether IKEv2 is needed or whether OpenVPN is sufficient, so please let's spare ourselves from discussing that. I'm interested in discussing how we could bring more functionality to pfSense without sacrificing any of the existing features, so this really is about getting IKEv2 to the platform without breaking anything that people already use.

    I'd be willing to contribute to this effort by performing necessary ports in pfSense, including getting the frontend functionality done. In order to do so, I have a couple questions that I would like to discuss with the core dev team:

    1. It is mentioned in this thread https://forum.pfsense.org/index.php?topic=52772.0 that a move to Racoon 2 would be required and that this would be a significant endeavor. Jimp mentioned this and I'm wondering whether he/she could add some more context to where the challenges lie in doing this. I'd like to know whether there have already been pitfalls identified and where core developers believe the risks lie in moving to Racoon 2. I also assume that initially the goal would be to move the existing functionality stack to parity on Racoon 2, avoiding any regressions. Are there known issues with just moving the existing functionality over?

    2. Once a move to Racoon 2 has been completed, where do core devs see the challenge in enabling IKEv2?

    Getting an understand of the above questions is paramount to start this endeavor, so I'm hoping that someone familiar with the matter can chime in.


  • Rebel Alliance Developer Netgate

    On pfSense 2.2 it may be possible (perhaps not yet though) since we have moved to StrongSWAN.



  • Hooray!


Log in to reply