17a33 [Solved] FreeBSD 9.x IPSEC - The FreeBSD Forums
The FreeBSD Forums  

Go Back   The FreeBSD Forums > Server & Networking > Networking
Reload this Page [Solved] FreeBSD 9.x IPSEC
Register FAQ Calendar Search Today's Posts Mark Forums Read

Networking Network related discussions (including general TCP/IP stuff, routing, etc).

Reply
 
Thread Tools Display Modes
  #1  
Old September 19th, 2012, 21:04
gkontos's Avatar
gkontos gkontos is offline
Senior Member
  
Join Date: Dec 2009
Location: Polidendri, GR
Posts: 1,263
Thanks: 42
Thanked 218 Times in 164 Posts
Default FreeBSD 9.x IPSEC
Hi all,

I am really curious in regards to IPSEC implementation in FreeBSD 9.x versus FreeBSD 8.x

So far the only information I have found are from the Release notes but it doesn't seem to cover my questions.

More specifically, I am interested to find out the current implementation of IPSEC in FreeBSD in regards to IPv6.

I would appreciate if anyone could point me to a more recent, current documentation.

Thanks
__________________
Powered by BareBSD
Last edited by gkontos; September 20th, 2012 at 23:24.
Reply With Quote
  #2  
Old September 20th, 2012, 06:45
throAU throAU is offline
Member
  
Join Date: Jan 2012
Location: Perth, Western Australia
Posts: 561
Thanks: 92
Thanked 77 Times in 72 Posts
Default
Reading the release notes it looks like 9.0 has been changed to be RFC 4868 compliant, rather than some FreeBSD quirk.

See RFC4868

According to the release notes this means FreeBSD9 -> Previous FreeBSD will not work with IPSEC.

As I understand it, IPSEC is a mandatory component of IPV6?


Sorry I haven't tested IPV6 at all with IPSEC, and my previous IPSEC experience with FreeBSD is from back in the 4.x days However, from the looks of it, my ASSUMPTION is that if IPV6 with IPSEC worked previously, it should work now, so long as the boxes involved are either both FreeBSD 9.x, FreeBSD 9.x to an RFC 4868 compliant device, or both previous versions of FreeBSD.
__________________
I use: FreeBSD, Mac OS X, Windows, Netapp, Cisco UCS, Cisco CUCM, Cisco IOS, Cisco ASA, vSphere 5.1, Cisco ISE, Orion NPM
Last edited by throAU; September 20th, 2012 at 10:10.
Reply With Quote
  #3  
Old September 20th, 2012, 06:52
kpa kpa is offline
Senior Member
  
Join Date: Jul 2010
Location: People's Technocratic Republic of Finland
Posts: 1,980
Thanks: 44
Thanked 460 Times in 390 Posts
Default
Quote:
Originally Posted by throAU View Post
As I understand it, IPSEC is a mandatory component of IPV6?
Not really as far as I understand. I'm using IPv6 from a tunnel broker (SixXS) and I haven't seen a single mention that IPSEC should be enabled yet in the documentation or the FAQs nor does my system have any sort of IPSEC system installed other than what comes by default in 9.1-RC1. I guess it's more of "has to support IPSEC if needed" than "has to implement IPSEC by default".
Reply With Quote
  #4  
Old September 20th, 2012, 07:59
SirDice's Avatar
SirDice SirDice is offline
Moderator
  
Join Date: Nov 2008
Location: Rotterdam, Netherlands
Posts: 13,694
Thanks: 47
Thanked 2,020 Times in 1,859 Posts
Default
IPSec is most definitely part of the IPv6 specs.

Quote:
IPsec is a mandatory component for IPv6, and therefore, the IPsec security model is required to be supported for all IPv6 implementations in near future. In IPv6, IPsec is implemented using the AH authentication header and the ESP extension header.
http://www.ipv6.com/articles/security/IPsec.htm

http://www.freebsd.org/doc/en/books/...implementation
__________________
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
Reply With Quote
  #5  
Old September 20th, 2012, 10:09
throAU throAU is offline
Member
  
Join Date: Jan 2012
Location: Perth, Western Australia
Posts: 561
Thanks: 92
Thanked 77 Times in 72 Posts
Default
Quote:
Originally Posted by kpa View Post
Not really as far as I understand. I'm using IPv6 from a tunnel broker (SixXS) and I haven't seen a single mention that IPSEC should be enabled yet in the documentation or the FAQs nor does my system have any sort of IPSEC system installed other than what comes by default in 9.1-RC1. I guess it's more of "has to support IPSEC if needed" than "has to implement IPSEC by default".
Not mandatory to make a connection via IPv6 (i.e., connect to your tunnel broker), but mandatory to claim that you have an IPv6 implementation.

If your device/OS doesn't support IPSec, then it doesn't have a complete IPv6 implementation.
__________________
I use: FreeBSD, Mac OS X, Windows, Netapp, Cisco UCS, Cisco CUCM, Cisco IOS, Cisco ASA, vSphere 5.1, Cisco ISE, Orion NPM
Reply With Quote
  #6  
Old September 20th, 2012, 10:28
gkontos's Avatar
gkontos gkontos is offline
Senior Member
  
Join Date: Dec 2009
Location: Polidendri, GR
Posts: 1,263
Thanks: 42
Thanked 218 Times in 164 Posts
Default
That's where the confusion begins.
  • IPSEC is mandatory for IPv6 (RFC1752).
  • Earlier versions of FreeBSD < 9 where based on the KAME project which actually provided the necessary IPSEC implementation.

After FreeBSD 9.0-RELEASE it is my understanding that the KAME project is no longer being used for IPv6. Yet, IPv6 works natively without having to build a custom KERNEL with IPSEC.
__________________
Powered by BareBSD
Reply With Quote
  #7  
Old September 20th, 2012, 10:51
SirDice's Avatar
SirDice SirDice is offline
Moderator
  
Join Date: Nov 2008
Location: Rotterdam, Netherlands
Posts: 13,694
Thanks: 47
Thanked 2,020 Times in 1,859 Posts
Default
The KAME project was integrated into FreeBSD. Which marked the end of the KAME project. It was further developed as a standard part of FreeBSD. In a similar fashion as TrustedBSD got integrated.

It's fairly simple actually, if you want to support IPv6 you must also support IPv6 IPSec. It's an integral part of the protocol. This is different from IPv4 where you had to add support for IPSec and IPv4 and IPSec are more or less separate entities.
__________________
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
Reply With Quote
The Following User Says Thank You to SirDice For This Useful Post:
throAU (September 21st, 2012)
  #8  
Old September 20th, 2012, 11:42
gkontos's Avatar
gkontos gkontos is offline
Senior Member
  
Join Date: Dec 2009
Location: Polidendri, GR
Posts: 1,263
Thanks: 42
Thanked 218 Times in 164 Posts
Default
Quote:
Originally Posted by SirDice View Post
The KAME project was integrated into FreeBSD. Which marked the end of the KAME project. It was further developed as a standard part of FreeBSD. In a similar fashion as TrustedBSD got integrated.
Ok, that makes sense. I was not aware of the fact that the KAME project got integrated into FreeBSD.

Quote:
Originally Posted by SirDice View Post
It's fairly simple actually, if you want to support IPv6 you must also support IPv6 IPSec. It's an integral part of the protocol. This is different from IPv4 where you had to add support for IPSec and IPv4 and IPSec are more or less separate entities.
I know IPSEC is mandatory for IPv6 to work. That is why I got confused in the first place.

So, to conclude is it safe to say that the HANDBOOK has to be modified in regards to distinguishing that those options are only applicable to IPv4?
__________________
Powered by BareBSD
Reply With Quote
  #9  
Old September 20th, 2012, 12:43
SirDice's Avatar
SirDice SirDice is offline
Moderator
  
Join Date: Nov 2008
Location: Rotterdam, Netherlands
Posts: 13,694
Thanks: 47
Thanked 2,020 Times in 1,859 Posts
Default
Quote:
Originally Posted by gkontos View Post
So, to conclude is it safe to say that the HANDBOOK has to be modified in regards to distinguishing that those options are only applicable to IPv4?
I think it's safe to conclude the entire handbook could use a little TLC
__________________
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
Reply With Quote
  #10  
Old September 20th, 2012, 15:35
gkontos's Avatar
gkontos gkontos is offline
Senior Member
  
Join Date: Dec 2009
Location: Polidendri, GR
Posts: 1,263
Thanks: 42
Thanked 218 Times in 164 Posts
Default
Quote:
Originally Posted by SirDice View Post
I think it's safe to conclude the entire handbook could use a little TLC
You are right about that
__________________
Powered by BareBSD
Reply With Quote
  #11  
Old September 20th, 2012, 16:41
wblock@'s Avatar
wblock@ wblock@ is offline
Moderator
  
Join Date: Sep 2009
Location: Milky Way galaxy
Posts: 7,701
Thanks: 429
Thanked 1,757 Times in 1,456 Posts
Default
When you see things that need to be updated in the Handbook, please enter a PR. Be as specific as you can about what is wrong or missing. Patches are even better. Without a PR, things can coast along with nobody realizing there is a problem.
Reply With Quote
  #12  
Old September 20th, 2012, 23:23
gkontos's Avatar
gkontos gkontos is offline
Senior Member
  
Join Date: Dec 2009
Location: Polidendri, GR
Posts: 1,263
Thanks: 42
Thanked 218 Times in 164 Posts
Default
Quote:
Originally Posted by wblock@ View Post
When you see things that need to be updated in the Handbook, please enter a PR. Be as specific as you can about what is wrong or missing. Patches are even better. Without a PR, things can coast along with nobody realizing there is a problem.
You are absolutely right and I will. As a matter of fact the FreeBSD Handbook is a very valuable piece of information. We need to keep it up to date because during the last 8 years that I am following FreeBSD closely, a lot of things have changed.
__________________
Powered by BareBSD
Reply With Quote
The Following User Says Thank You to gkontos For This Useful Post:
throAU (September 21st, 2012)
  #13  
Old September 23rd, 2012, 18:15
gkontos's Avatar
gkontos gkontos is offline
Senior Member
  
Join Date: Dec 2009
Location: Polidendri, GR
Posts: 1,263
Thanks: 42
Thanked 218 Times in 164 Posts
Default
Some new developments in my research so far:

IPSEC implementation is mandatory for IPv6, IPSEC deployment is not.

It turns out that the word "must" has changed to "should". See RFC 6434.

Quote:
The RIPE IPv6 Working Group has extensively discussed whether to make IPsec support mandatory or optional. The most vocal constituents showed support for moving IPsec to the optional sections, which is what is reflected in this document.
Link: http://www.ripe.net/ripe/docs/curren...ments/ripe-554
__________________
Powered by BareBSD
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN IPSEC FreeBSD <--> Juniper SRX gbernardes Networking 0 August 13th, 2012 18:12
setting IPSEC tunnel with ipsec-tools bored_to_death Networking 5 June 7th, 2010 08:42
Checkpoint vs. FreeBSD IPSEC problem fefo Networking 1 January 31st, 2010 12:18
VPN over IPsec on FreeBSD 8.0 vodvorezlaya Networking 2 December 30th, 2009 15:43
FreeBSD-SA-08:04.ipsec admin News & Announcements 0 February 20th, 2008 23:46


All times are GMT +1. The time now is 09:03.

Contact Us - FreeBSD - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.
The mark FreeBSD is a registered trademark of The FreeBSD Foundation and is used by The FreeBSD Project with the permission of The FreeBSD Foundation.
Web protection and acceleration provided by CloudFlare
0