Re: Testing racoon

[christos%zoulas.com@localhost (Christos Zoulas)]

On Jun 13, 11:23am, frchuckz%gmail.com@localhost (Chuck Zmudzinski) wrote:
-- Subject: Re: Testing racoon

Thanks for all the feedback and testing!

| The problem was fixed by a reboot of the whole system, and then racoon
| started normally again.

There might be still an issue with buffer space in current, but we explicitly
bumped the limits for syslogd and kernel sockets. I am not sure what went
on here and the ipsec related socket buffers got full.

| I think it would be great to get racoon2 working with IKEv2, so that we 
| could
| use NetBSD as a server for built in Windows, ios, and android IKEv2 VPN
| clients. From what I have read so far from Windows support pages and some
| sample configurations of Strongswan IKEv2 VPN servers, it appears those
| clients still use L2TP tunnels, but I think also it is IPsec tunnel 
| mode, not
| transport mode as in the case of L2TP/IPsec clients that use IKEv1. 
| According to
| RFC 3948, fixing NAT-T in IPsec tunnel mode does not require the 
| checksum fix
| but instead requires careful verification of the IP addresses of the 
| tunnelled
| traffic.
| 
| I plan on experimenting with the pkgsrc racoon2 with NetBSD current. We
| might need to verify the kernel can implement RFC 3948 for tunnel mode.
| I think it is working now for transport mode, but not yet optimal because of
| the way we are fixing the tcp/udp checksums.
| 

Yes, I'd like that very much too. I got it to compile as I mentioned, but
did not have time to work on it more. Perhaps we should just move it to
a github repository or something and work on it together.

christos