[Solved] FreeBSD 9.x IPSEC

gkontos · #1 September 19th, 2012, 21:04

Hi all,

I am really curious in regards to IPSEC implementation in FreeBSD 9.x versus FreeBSD 8.x

So far the only information I have found are from the Release notes but it doesn't seem to cover my questions.

More specifically, I am interested to find out the current implementation of IPSEC in FreeBSD in regards to IPv6.

I would appreciate if anyone could point me to a more recent, current documentation.

Thanks

throAU · #2 September 20th, 2012, 06:45

Reading the release notes it looks like 9.0 has been changed to be RFC 4868 compliant, rather than some FreeBSD quirk.

See RFC4868

According to the release notes this means FreeBSD9 -> Previous FreeBSD will not work with IPSEC.

As I understand it, IPSEC is a mandatory component of IPV6?

Sorry I haven't tested IPV6 at all with IPSEC, and my previous IPSEC experience with FreeBSD is from back in the 4.x days

However, from the looks of it, my ASSUMPTION is that if IPV6 with IPSEC worked previously, it should work now, so long as the boxes involved are either both FreeBSD 9.x, FreeBSD 9.x to an RFC 4868 compliant device, or both previous versions of FreeBSD.

kpa · #3 September 20th, 2012, 06:52

Quote:

Originally Posted by throAU

As I understand it, IPSEC is a mandatory component of IPV6?

Not really as far as I understand. I'm using IPv6 from a tunnel broker (SixXS) and I haven't seen a single mention that IPSEC should be enabled yet in the documentation or the FAQs nor does my system have any sort of IPSEC system installed other than what comes by default in 9.1-RC1. I guess it's more of "has to support IPSEC if needed" than "has to implement IPSEC by default".

**SirDice** · #4 September 20th, 2012, 07:59

IPSec is most definitely part of the IPv6 specs.

Quote:

IPsec is a mandatory component for IPv6, and therefore, the IPsec security model is required to be supported for all IPv6 implementations in near future. In IPv6, IPsec is implemented using the AH authentication header and the ESP extension header.

http://www.ipv6.com/articles/security/IPsec.htm

http://www.freebsd.org/doc/en/books/...implementation

throAU · #5 September 20th, 2012, 10:09

Quote:

Originally Posted by kpa

Not really as far as I understand. I'm using IPv6 from a tunnel broker (SixXS) and I haven't seen a single mention that IPSEC should be enabled yet in the documentation or the FAQs nor does my system have any sort of IPSEC system installed other than what comes by default in 9.1-RC1. I guess it's more of "has to support IPSEC if needed" than "has to implement IPSEC by default".

Not mandatory to make a connection via IPv6 (i.e., connect to your tunnel broker), but mandatory to claim that you have an IPv6 implementation.

If your device/OS doesn't support IPSec, then it doesn't have a complete IPv6 implementation.

gkontos · #6 September 20th, 2012, 10:28

That's where the confusion begins.

IPSEC is mandatory for IPv6 (RFC1752).
Earlier versions of FreeBSD < 9 where based on the KAME project which actually provided the necessary IPSEC implementation.

After FreeBSD 9.0-RELEASE it is my understanding that the KAME project is no longer being used for IPv6. Yet, IPv6 works natively without having to build a custom KERNEL with IPSEC.

**SirDice** · #7 September 20th, 2012, 10:51

The KAME project was integrated into FreeBSD. Which marked the end of the KAME project. It was further developed as a standard part of FreeBSD. In a similar fashion as TrustedBSD got integrated.

It's fairly simple actually, if you want to support IPv6 you must also support IPv6 IPSec. It's an integral part of the protocol. This is different from IPv4 where you had to add support for IPSec and IPv4 and IPSec are more or less separate entities.

gkontos · #8 September 20th, 2012, 11:42

Quote:

Originally Posted by SirDice

The KAME project was integrated into FreeBSD. Which marked the end of the KAME project. It was further developed as a standard part of FreeBSD. In a similar fashion as TrustedBSD got integrated.

Ok, that makes sense. I was not aware of the fact that the KAME project got integrated into FreeBSD.

Quote:

Originally Posted by SirDice

It's fairly simple actually, if you want to support IPv6 you must also support IPv6 IPSec. It's an integral part of the protocol. This is different from IPv4 where you had to add support for IPSec and IPv4 and IPSec are more or less separate entities.

I know IPSEC is mandatory for IPv6 to work. That is why I got confused in the first place.

So, to conclude is it safe to say that the HANDBOOK has to be modified in regards to distinguishing that those options are only applicable to IPv4?

**SirDice** · #9 September 20th, 2012, 12:43

Quote:

Originally Posted by gkontos

So, to conclude is it safe to say that the HANDBOOK has to be modified in regards to distinguishing that those options are only applicable to IPv4?

I think it's safe to conclude the entire handbook could use a little TLC

gkontos · #10 September 20th, 2012, 15:35

Quote:

Originally Posted by SirDice

I think it's safe to conclude the entire handbook could use a little TLC

You are right about that

**wblock@** · #11 September 20th, 2012, 16:41

When you see things that need to be updated in the Handbook, please enter a PR. Be as specific as you can about what is wrong or missing. Patches are even better. Without a PR, things can coast along with nobody realizing there is a problem.

gkontos · #12 September 20th, 2012, 23:23

Quote:

Originally Posted by wblock@

When you see things that need to be updated in the Handbook, please enter a PR. Be as specific as you can about what is wrong or missing. Patches are even better. Without a PR, things can coast along with nobody realizing there is a problem.

You are absolutely right and I will. As a matter of fact the FreeBSD Handbook is a very valuable piece of information. We need to keep it up to date because during the last 8 years that I am following FreeBSD closely, a lot of things have changed.

gkontos · #13 September 23rd, 2012, 18:15

Some new developments in my research so far:

IPSEC implementation is mandatory for IPv6, IPSEC deployment is not.

It turns out that the word "must" has changed to "should". See RFC 6434.

Quote:

The RIPE IPv6 Working Group has extensively discussed whether to make IPsec support mandatory or optional. The most vocal constituents showed support for moving IPsec to the optional sections, which is what is reflected in this document.

Link: http://www.ripe.net/ripe/docs/curren...ments/ripe-554

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
VPN IPSEC FreeBSD <--> Juniper SRX	gbernardes	Networking	0	August 13th, 2012 18:12
setting IPSEC tunnel with ipsec-tools	bored_to_death	Networking	5	June 7th, 2010 08:42
Checkpoint vs. FreeBSD IPSEC problem	fefo	Networking	1	January 31st, 2010 12:18
VPN over IPsec on FreeBSD 8.0	vodvorezlaya	Networking	2	December 30th, 2009 15:43
FreeBSD-SA-08:04.ipsec	admin	News & Announcements	0	February 20th, 2008 23:46

The Following User Says Thank You to SirDice For This Useful Post:
throAU (September 21st, 2012)

The Following User Says Thank You to gkontos For This Useful Post:
throAU (September 21st, 2012)