Hello Stuart, thanks for your quick reply.
> On 2020-02-14, Peter Müller <peter.muel...@link38.eu> wrote: >> Hello openbsd-misc, >> >> during some flaws in OpenIKED, I am forced to use strongSwan as an IPsec >> client on an >> OpenBSD 6.6 machine. While establishing an IKE_SA works fine, installing >> policies for CHILD_SA >> fails (as expected): >> >>> unable to install IPsec policies (SPD) in kernel >>> failed to establish CHILD_SA, keeping IKE_SA >> >> To those who are running strongSwan as an IPsec client on OpenBSD: Which is >> the best >> procedure in this case? Are there other methods of installing IPsec policies >> into the >> kernel available? > > strongSwan's module to install policies to the kernel (kernel-pfkey) does > not support OpenBSD without making code changes. Not impossible but hasn't > been done. Only their userland setup that works with tun(4) devices > (slightly confusingly called kernel-ipsec) is available. Hm, after fiddling around for a while, I am a bit helpless on this. Do you happen to have some example configuration? If yes, I would be very grateful to see it. :-) Thanks, and best regards, Peter Müller > > >> P.S.: In case anybody wonders about the "OpenIKED flaws", these are as >> follows: >> (a) Restarting single connections is not possible >> (b) Dead Peer Detection is missing (I am aware of ifstated as a >> "replacement", but since >> there seems to be no way of restarting a single IPsec connection, >> restarting the whole >> iked daemon causes operational tunnels to crash) >> (c) IKE is missing AES-GCM support (while ESP does - not sure why this is) >> (d) Does not seem to support more than one private key > > (e) no client side address-config > (f) doesn't work with intermediate certs Glad you mention it. I was bumping into something similar already and wondered why thinks won't work... > (plus some other missing things that would make life a lot easier, especially > punting EAP off to a radius server ;) > >> Apart from that, I really appreciate OpenIKED especially for its >> configuration file >> syntax, but unfortunately cannot use it primarily due to (a) and (d). >