Support RFC 8229: TCP Encapsulation of IKE and IPsec Packets
There is new IETF ipsecme group draft draft-ietf-ipsecme-tcp-encaps, which defines a standard way to encapsulate IKE/ESP packet in TCP/TLS; which is a useful feature for IPsec travel through firewall that only allows HTTP/HTTPS traffic;
right now, the draft is version 4, and pretty stable, could become RFC soon;
it would be great if strongswan could support this draft;
#3 Updated by Carl-Daniel Hailfinger over 4 years ago
A first implementation of RFC 8229 for the Linux kernel has been submitted: https://marc.info/?l=linux-netdev&m=151567688126015&w=2
#9 Updated by Carl-Daniel Hailfinger almost 3 years ago
The RFC 8229 ESPinTCP patch for the Linux kernel has finally left the RFC stage. According to the review comments, the only thing left to change is changing the name of the Kconfig option. The API for userspace seems to be final already.
The feature is (like UDP encapsulation) IPv4-only right now. The author of the patch plans to extend the functionality to IPv6 later.
#10 Updated by Carl-Daniel Hailfinger over 2 years ago
The RFC 8229 ESPinTCP patches have been merged into the upstream ipsec-next kernel tree in branch "testing".
#11 Updated by Carl-Daniel Hailfinger over 2 years ago
The RFC 8229 ESPinTCP patches have been merged into the upstream net-next tree and will be part of Linux 5.6.
#12 Updated by Carl-Daniel Hailfinger over 2 years ago
The RFC 8229 ESP in TCP encapsulation patches have finally landed in mainline Linux:
#13 Updated by Carl-Daniel Hailfinger about 2 years ago
RFC8229 ESP in TCP is now also supported for IPv6 in mainline Linux: