On 2020-02-14, Peter Müller <peter.muel...@link38.eu> wrote: > Hello openbsd-misc, > > during some flaws in OpenIKED, I am forced to use strongSwan as an IPsec > client on an > OpenBSD 6.6 machine. While establishing an IKE_SA works fine, installing > policies for CHILD_SA > fails (as expected): > >> unable to install IPsec policies (SPD) in kernel >> failed to establish CHILD_SA, keeping IKE_SA > > To those who are running strongSwan as an IPsec client on OpenBSD: Which is > the best > procedure in this case? Are there other methods of installing IPsec policies > into the > kernel available?
strongSwan's module to install policies to the kernel (kernel-pfkey) does not support OpenBSD without making code changes. Not impossible but hasn't been done. Only their userland setup that works with tun(4) devices (slightly confusingly called kernel-ipsec) is available. > P.S.: In case anybody wonders about the "OpenIKED flaws", these are as > follows: > (a) Restarting single connections is not possible > (b) Dead Peer Detection is missing (I am aware of ifstated as a > "replacement", but since > there seems to be no way of restarting a single IPsec connection, > restarting the whole > iked daemon causes operational tunnels to crash) > (c) IKE is missing AES-GCM support (while ESP does - not sure why this is) > (d) Does not seem to support more than one private key (e) no client side address-config (f) doesn't work with intermediate certs (plus some other missing things that would make life a lot easier, especially punting EAP off to a radius server ;) > Apart from that, I really appreciate OpenIKED especially for its > configuration file > syntax, but unfortunately cannot use it primarily due to (a) and (d).
