[support] IKE (v2) and IPsec implementation in a NEPL context

[Sebastien Decugis]

Hello Panos,
 
>
> Seeing a recent IKEv2 post and as this is something that I was also
> looking at, I thought to ask in the list whether someone has managed
> to get dynamic keying (ie. IKEv2) in nepl? Does the same principles
> described in [1] for mipv6+racoon from Sebastien apply?
>

Almost, yes. The work on IKEv2 dynamic keying for NEPL was started when
Nautilus6 was active, and we got it working to some extent (not much
tests unfortunately, so there are probably some bugs around) -- but then
unfortunately Nautilus6 was terminated.

The mechanism is very similar to the one from MIPv6, except that the
traffic selectors are more complex in some situations (example: if the
traffic from MNN needs to be tunneled).
In addition, I doubt that nested scenarios (a mobile node inside the
mobile network) would work with the current implementation, it may
require more important changes.
In any case, the current NEPL patch already includes our latest work on
the dynamic keying, so you can start from there and see how it works...
I recommend to start with:
- dynamic keying for the mobile node, it can be tricky ^^.
- static keying for NEPL. This also is not so simple...
Then you can try the "level 2" ;-)


> Has anyone got any experience or insight to share on which one of the
> above is better and why? I am thinking of them more in a nepl context,
> but even a more general or mipv6 discussion will be intresting;-)

In Nautilus6 we used to work with (patched) racoon2 -- since it was 2
years ago, the patchs do not apply anymore, you'll have to understand
the changes we were doing and adapt to the new code...
There has also been feedback with StrongSwan from Arnaud on this list.
I don't know the situation with the other implementations you are
mentioning.

Hope this helps,
Best regards,
Sebastien.