Home » Mailing list archives » openbsd-misc » 2010 » June » 10

Re: iked(8) and ikectl(8)

Previous thread: boot freezes when trying to detect memory by Epidemic SomeGuy on Thursday, June 3, 2010 - 1:55 pm. (1 message)

Next thread: Re: i7-720QM one more time by Charlie Root on Thursday, June 3, 2010 - 3:31 pm. (2 messages)
[view original message]
From: Reyk Floeter
Subject: iked(8) and ikectl(8)
Date: Thursday, June 3, 2010 - 2:06 pm

Hi!

Today I imported iked(8) that is another automatic keying daemon for
IPsec.  In difference to isakmpd(8), which supports the ISAKMP/Oakley
a.k.a. IKEv1 protocol, iked(8) only supports the IKEv2 protocol at
present.  The IKEv2 protocol in RFC 4306 has been simplified and
provides many benefits over ISAKMP/IKEv1.

iked(8) itself has been designed to fit the style of all the recent
OpenBSD daemons and comes with a tool ikectl(8) for runtime
configuration, status, working reloads, and integrated commands to
maintain a simple X.509 CA for IKEv2.  I also have some important
design goals that I will describe later.

The current state is that iked(8) still lacks a few important features
but works as a responder against different peer implementations.  That
means, you can set up a running VPN with Windows 7 or libstrongswan
libcharon clients connecting to iked(8) running as the server or
security gateway.  I will add initiator (client) mode next.

This is a very brief summary, more information will follow.

reyk


[ message continues ]
[view original message]
From: Eugene Yunak
Subject: Re: iked(8) and ikectl(8)
Date: Thursday, June 3, 2010 - 2:23 pm

Good stuff Reyk! Will try it shortly.
Looking forward to the details as well.

--
The best the little guy can do is what
the little guy does right


[ message continues ]
[view original message]
From: Massimo Lusetti
Subject: Re: iked(8) and ikectl(8)
Date: Friday, June 4, 2010 - 3:27 am

On Thu, 3 Jun 2010 23:06:58 +0200

That's great! ... 4.7 is just behind the door and is already time to
move on -current!

I got 48 IPsec gateways which just await to be upgraded!

Pretty nice!
-- 
Massimo


[ message continues ]
[view original message]
From: Reyk Floeter
Subject: Re: iked(8) and ikectl(8)
Date: Friday, June 4, 2010 - 3:35 am

but please a little bit before using it in production networks,
iked(8) is not fully ready yet ;-).

reyk


[ message continues ]
[view original message]
From: Massimo Lusetti
Subject: Re: iked(8) and ikectl(8)
Date: Thursday, June 10, 2010 - 7:31 am

On Fri, 4 Jun 2010 12:35:36 +0200

I'm following your commit flow about it and is exiting, this is why I'm
still with OpenBSD ;)

-- 
Massimo


[ message continues ]
[view original message]
From: Toni Mueller
Subject: Re: iked(8) and ikectl(8)
Date: Thursday, October 14, 2010 - 7:03 am

Hi,


this means...

(1) that only either iked OR isakmpd can run on one box?
(2) on one IP, but share the same box?

(3) or that iked has a dispatch mechanism to forward IKEv1 connections
to a bystanding isakmpd, and cooperate with it to allow for using both
types of connections on one IP?


My guess is that it's (1), but my preference would be (3), of course.


-- 
Kind regards,
--Toni++


[ message continues ]
Previous thread: boot freezes when trying to detect memory by Epidemic SomeGuy on Thursday, June 3, 2010 - 1:55 pm. (1 message)

Next thread: Re: i7-720QM one more time by Charlie Root on Thursday, June 3, 2010 - 3:31 pm. (2 messages)