Feature #2189
Support RFC 8229: TCP Encapsulation of IKE and IPsec Packets
Description
There is new IETF ipsecme group draft draft-ietf-ipsecme-tcp-encaps, which defines a standard way to encapsulate IKE/ESP packet in TCP/TLS; which is a useful feature for IPsec travel through firewall that only allows HTTP/HTTPS traffic;
right now, the draft is version 4, and pretty stable, could become RFC soon;
it would be great if strongswan could support this draft;
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-tcp-encaps/
History
#1 Updated by Carl-Daniel Hailfinger about 8 years ago
draft-ietf-ipsecme-tcp-encaps is now in the RFC Editor Queue.
#2 Updated by Carl-Daniel Hailfinger about 8 years ago
RFC 8229: TCP Encapsulation of IKE and IPsec Packets
has been published.
#3 Updated by Carl-Daniel Hailfinger over 7 years ago
A first implementation of RFC 8229 for the Linux kernel has been submitted: https://marc.info/?l=linux-netdev&m=151567688126015&w=2
#4 Updated by Tobias Brunner over 7 years ago
- Subject changed from Support TCP encapsulation to Support RFC 8229: TCP Encapsulation of IKE and IPsec Packets
#5 Updated by Tobias Brunner over 7 years ago
- Status changed from New to Assigned
- Assignee set to Tobias Brunner
#6 Updated by Tobias Brunner over 7 years ago
- Target version set to 5.6.3
#7 Updated by Tobias Brunner over 7 years ago
- Target version deleted (
5.6.3)
#8 Updated by Carl-Daniel Hailfinger about 6 years ago
A new version of the RFC 8229 ESPinTCP patch has been submitted to the Linux kernel: https://lwn.net/Articles/792028/
#9 Updated by Carl-Daniel Hailfinger almost 6 years ago
The RFC 8229 ESPinTCP patch for the Linux kernel has finally left the RFC stage. According to the review comments, the only thing left to change is changing the name of the Kconfig option. The API for userspace seems to be final already.
https://lore.kernel.org/netdev/cover.1568192824.git.sd@queasysnail.net/
The feature is (like UDP encapsulation) IPv4-only right now. The author of the patch plans to extend the functionality to IPv6 later.
#10 Updated by Carl-Daniel Hailfinger almost 6 years ago
The RFC 8229 ESPinTCP patches have been merged into the upstream ipsec-next kernel tree in branch "testing".
https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git/log/?h=testing
#11 Updated by Carl-Daniel Hailfinger over 5 years ago
The RFC 8229 ESPinTCP patches have been merged into the upstream net-next tree and will be part of Linux 5.6.
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
#12 Updated by Carl-Daniel Hailfinger over 5 years ago
The RFC 8229 ESP in TCP encapsulation patches have finally landed in mainline Linux:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e27cca96cd68fa2c6814c90f9a1cfd36bb68c593
#13 Updated by Carl-Daniel Hailfinger over 5 years ago
RFC8229 ESP in TCP is now also supported for IPv6 in mainline Linux:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=26333c37fc285e7372f1b9461f3ae0ba3dc699c9