Hello openbsd-misc,
during some flaws in OpenIKED, I am forced to use strongSwan as an IPsec client
on an
OpenBSD 6.6 machine. While establishing an IKE_SA works fine, installing
policies for CHILD_SA
fails (as expected):
> unable to install IPsec policies (SPD) in kernel
> failed to establish CHILD_SA, keeping IKE_SA
To those who are running strongSwan as an IPsec client on OpenBSD: Which is the
best
procedure in this case? Are there other methods of installing IPsec policies
into the
kernel available?
Thanks for any help in advance.
Best regards,
Peter Müller
P.S.: In case anybody wonders about the "OpenIKED flaws", these are as follows:
(a) Restarting single connections is not possible
(b) Dead Peer Detection is missing (I am aware of ifstated as a "replacement",
but since
there seems to be no way of restarting a single IPsec connection,
restarting the whole
iked daemon causes operational tunnels to crash)
(c) IKE is missing AES-GCM support (while ESP does - not sure why this is)
(d) Does not seem to support more than one private key
Apart from that, I really appreciate OpenIKED especially for its configuration
file
syntax, but unfortunately cannot use it primarily due to (a) and (d).
