IKEv2 support for IPsec
Hi dear pfSense devs!
One handicap i find in pfSense is the lack ok IKEv2 which guarantees smooth operation for roadwarriors that that have unreliable connections like 3G. Afaik racoon2 does support IKEv2 and now Strongswan supports FreeBSD too. I like Strongswan, but which of the too is better is up to you of course.
Thank you for listening,
#2 Updated by Dim Hatz over 7 years ago
Another option for IKEv2 would be the portable version of OpenBSD's OpenIKED
This is the port of OpenBSD's iked to Darwin/OS X and other operating systems (see "Supported Platforms").
iked is a lean Internet Key Exchange (IKEv2) daemon which performs mutual authentication and which establishes and maintains IPsec VPN flows and security associations (SAs) between the two peers. The IKEv2 protocol is defined in RFC 5996, which combines and updates the previous standards: ISAKMP/Oakley (RFC 2408), IKE (RFC 2409), and the Internet DOI (RFC 2407). iked only supports the IKEv2 protocol; support for ISAKMP/Oakley and IKEv1 is provided by OpenBSD's isakmpd(8) or other implementations on non-OpenBSD platforms.
iked supports mutual authentication using RSA public keys and X.509 certificates, it also support responder/server-side authentication of clients using the EAP-MSCHAPv2 protocol over IKEv2. It interconnects with other IKEv2 implementations like the native IKEv2 implementation of Windows 7 or newer (aka Agile VPN) or strongSwan.
#3 Updated by Georgios Tsalikis over 7 years ago
I read about it. I am still worried, about MOBIKE (isnt it important for roaming roadwarriors) and the absense (?) of PSK support. I trust enormous passwords more than any kind of algorithm and i do not represent a company where issue and revocation of certs is impotant. But still IPsec would expose a lot of my home's functionalities.
I also asked in ##pfsense if i made a plugin then could cancel built in functions of the firewall. No answer so far.
#4 Updated by Adam Thompson about 7 years ago
OpenIKED port to FreeBSD 9.0 is complete according to firstname.lastname@example.org, as long as IPSEC is enabled in the kernel (still missing from GENERIC).
Port is not present in ports/9-current as of right now (or at least, I can't find it).
Reyk isn't sure if it will compile against FreeBSD 8 - he hasn't tried it.
Also, he just needs a ports committed to get it into the package tree - he's still looking for one at this moment.
#5 Updated by Adam Thompson about 7 years ago
Major issue would likely be making isakmpd (IKEv1) and iked (IKEv2) operate simultaneously... unclear if this can be done yet. Likely it would be an either/or selection, much like choosing between e.g. NTPD, or OSPF, or BGP implementations... bit trickier, since IKEv1 is baked-in and IKEv2 would be an add-on package. Unsure how to cleanly resolve this, but I think it's reasonable to check the base system config for IPSEC enabled/disabled before allowing IKEv2 to be enabled.
Or bake OpenIKED into the base system and refactor the config pages... I'd be willing to look at redesigning the config pages in that case.