Project

General

Profile

Feature #2189

Support RFC 8229: TCP Encapsulation of IKE and IPsec Packets

Added by Jun Hu over 3 years ago. Updated 2 months ago.

Status:
Assigned
Priority:
Normal
Category:
-
Target version:
-
Start date:
14.12.2016
Due date:
Estimated time:
Resolution:

Description

There is new IETF ipsecme group draft draft-ietf-ipsecme-tcp-encaps, which defines a standard way to encapsulate IKE/ESP packet in TCP/TLS; which is a useful feature for IPsec travel through firewall that only allows HTTP/HTTPS traffic;
right now, the draft is version 4, and pretty stable, could become RFC soon;

it would be great if strongswan could support this draft;

https://datatracker.ietf.org/doc/draft-ietf-ipsecme-tcp-encaps/

History

#1 Updated by Carl-Daniel Hailfinger about 3 years ago

draft-ietf-ipsecme-tcp-encaps is now in the RFC Editor Queue.

#2 Updated by Carl-Daniel Hailfinger almost 3 years ago

RFC 8229: TCP Encapsulation of IKE and IPsec Packets
has been published.

#3 Updated by Carl-Daniel Hailfinger over 2 years ago

A first implementation of RFC 8229 for the Linux kernel has been submitted: https://marc.info/?l=linux-netdev&m=151567688126015&w=2

#4 Updated by Tobias Brunner over 2 years ago

  • Subject changed from Support TCP encapsulation to Support RFC 8229: TCP Encapsulation of IKE and IPsec Packets

#5 Updated by Tobias Brunner over 2 years ago

  • Status changed from New to Assigned
  • Assignee set to Tobias Brunner

#6 Updated by Tobias Brunner over 2 years ago

  • Target version set to 5.6.3

#7 Updated by Tobias Brunner about 2 years ago

  • Target version deleted (5.6.3)

#8 Updated by Carl-Daniel Hailfinger about 1 year ago

A new version of the RFC 8229 ESPinTCP patch has been submitted to the Linux kernel: https://lwn.net/Articles/792028/

#9 Updated by Carl-Daniel Hailfinger 11 months ago

The RFC 8229 ESPinTCP patch for the Linux kernel has finally left the RFC stage. According to the review comments, the only thing left to change is changing the name of the Kconfig option. The API for userspace seems to be final already.
https://lore.kernel.org/netdev/cover.1568192824.git.sd@queasysnail.net/

The feature is (like UDP encapsulation) IPv4-only right now. The author of the patch plans to extend the functionality to IPv6 later.

#10 Updated by Carl-Daniel Hailfinger 9 months ago

The RFC 8229 ESPinTCP patches have been merged into the upstream ipsec-next kernel tree in branch "testing".

https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git/log/?h=testing

#11 Updated by Carl-Daniel Hailfinger 7 months ago

The RFC 8229 ESPinTCP patches have been merged into the upstream net-next tree and will be part of Linux 5.6.
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=e27cca96cd68fa2c6814c90f9a1cfd36bb68c593

#12 Updated by Carl-Daniel Hailfinger 6 months ago

The RFC 8229 ESP in TCP encapsulation patches have finally landed in mainline Linux:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e27cca96cd68fa2c6814c90f9a1cfd36bb68c593

Also available in: Atom PDF