OpenBSD Project published project release OpenIKED 7.3, which develops the implementation of the IKEv2 protocol. Initially, the IKEv2 components were an integral part of the OpenBSD IPsec stack, but were then separated into a separate portable package and can now be used on other operating systems. OpenIKED has been tested on FreeBSD, NetBSD, macOS and various Linux distributions including Arch, Debian, Fedora and Ubuntu. The code is written in C and distributed by under license from ISC.
OpenIKED allows you to deploy IPsec-based virtual private networks. The IPsec stack is made up of two main protocols: the Key Exchange Protocol (IKE) and the Encrypted Transport Protocol (ESP). OpenIKED implements elements of authentication, configuration, key exchange, and security policy maintenance, and a protocol for encrypting ESP traffic, are typically provided by the operating system kernel. Authentication methods in OpenIKED can use pre-shared keys, EAP MSCHAPv2 with an X.509 certificate, and RSA and ECDSA public keys.
In the new version:
- Added support for tunnels sec, created in OpenBSD to route IPsec traffic through the sec network interface, instead of using SPD (IPsec Security Policy Database) rules when creating secure point-to-point VPNs.
- Added support for specifying multiple name servers on the same network interface in Linux.
- Added the ability to use the libssytemd library to configure DNS via DBUS on Linux, instead of calling the resolvectl utility.
- On the Linux platform, the libapparmor library has been removed from the dependencies, instead of which, to change AppArmor policies, a direct call to the pseudo FS /proc is now used, which allows you to open file descriptors before resetting privileges.
- The ability to process full x509 certificate chains in the CERT payload has been provided.
- To improve process isolation, child processes are restarted after calling fork().
- The internal ibuf API has been redesigned for OpenBSD 7.4.
- The compatibility layer is synchronized with the latest OpenBSD codebase.
- Corrections have been made to the OpenSSL configuration used by ikectl to ensure renewal of expired certificates.
Thanks for reading: