Created attachment 242147 [details] FreeBSB 13.2 - Patch for PSEC IPv6 UDP encapsulation The FreeBSD 13.2 kernel does not support IPv6 IPSEC UDP Encapsulation of ESP. The Android StrongSWAN VPN application does not have root privileges needed to used a RAW socket and must used UDP Encapsulation of ESP to work with either IPv4 or IPv6. It would be useful for FreeBSD to support IPv6 VPN service with Android. Attached is a patch for FreeBSD 13.2-RELEASE which adds support for IPv6 IPSEC UDP Encapsulation of ESP. The patch adds IPv6 support for UDP encapsulation which mirrors the exist IPv4 support with the addition of enabling UDP checksums which are required by IPv6. Tested with StrongSWan U5.9.10/K13.2-RELEASE (current ports version) using both normal and NAT'ed configrations. During testing I found a bug in 13.2 IPSEC implementation unrelated to this path. I have submitted another bug report for it (271393) I help with supported of this in FreeBSD if needed. -Russ Russell J. Yount <Russell.Yount@gmail.com>
Hi Russ, we're trying to get rid of patches in Bugzilla. would you mind submitting this via GitHub or Phabricator? see https://docs.freebsd.org/en/articles/contributing/#contrib-how for more info
I just make a pull request on GitHub: Releng/13.2 - IPSEC IPv6 UDP Encapsulation Code #741 Hope I did this correctly. Please get back to me if I did not. Never used GitHub before. -Russ
After looking at other pull requests I realize what I did was wrong. I marked the pull request as draft and closed it. After playing with git command for a few hours I am at a loss of how to proceed although in a local repository I found five places where there were white space proceeding newlines. My patch seems to be ok with main branch though. Sorry, I am retired and the last time I used source control systems where with SCCS and RCS. I started working with BSD 4.1 and ATT System V UNIX. If you would work with me in email to review what I am missing with git command I would appreciate it. Or I could me to upload cleaned patch here and you could take it from there.
Why is NAT-T needed for IPv6? The main (the only ?) promise of IPv6 is to get rid of the NAT. Then, the technique to improve NAT traversal for ipsec might be not too useful. On the other hand, it is a different encapsulation which could have application by itself. Can you please explain your use for NAT-T over IPv6?
As I said at the beginning of bug report: The Android StrongSWAN VPN application does not have root privileges needed to used a RAW socket and must used UDP Encapsulation of ESP to work with either IPv4 or IPv6. It would be useful for FreeBSD to support IPv6 VPN service with Android. I am not arguing for the use of NAT in IPv6 but some use with IPv6 Unique Local Addresses for various reasons. I did test patch with and without NAT to be complete.
It seems like this issue is making no progress. We have a stalemate at this point. As previously reported, Android only supports UDP encapsulation for IPV6, but FreeBSD currently does not. As a result, it is not possible to establish IPsec Roadwarrior connections from Android to FreeBSD over IPv6. Implementing UDP encapsulation would solve this problem.
Isn't this being worked on in review D42526? That is active...
Thank you for clarification