Please add support for IKEv2 for IPSec VPN

[manjurajv]

The current IPSec VPN is based on ISAKMP(IKEv1). Please add support to IKEv2.

You can port openswan or strongswan.

[dnobori]

You can port openswan or strongswan.

[saschanaz]

http://www.vpnusers.com/viewtopic.php?f=7&t=3056
IKEv2 will make me happy with my Lumia. :)

[ValdikSS]

It would be really great if IKEv2 is added. SoftEther is a nice and mature project with userspace IPSec implementation, which is very useful in contailers like OpenVZ, where you can't just load kernel modules.

[balu88]

If you add IKEV2, I Could migrate from RockhopperVPN and Could connect my Blackberry.

[ValdikSS]

@balu88, you can use strongSwan with kernel-libipsec, if you need userspace IPsec implementation (I suppose you use rockhopper only because of that).

[balu88]

@ValdikSS, I use Rockhopper because of its easy configuration and administration. But thanks for the info, didn't knew about the lib.
Von: ValdikSS
Gesendet: Montag, 25. August 2014 03:14
An: SoftEtherVPN/SoftEtherVPN
Antwort an: SoftEtherVPN/SoftEtherVPN
Cc: balu88
Betreff: Re: [SoftEtherVPN] Please add support for IKEv2 for IPSec VPN (#13)

ValdikSS notifications@github.com hat am 25. August 2014 um 03:14 geschrieben:

@balu88, you can use strongSwan with kernel-libipsec, if you need userspace IPsec implementation (I suppose you use rockhopper only because of that).

---

Reply to this email directly or view it on GitHub:
#13 (comment)

[ValdikSS]

@balu88, by the way, strongSwan has web-interface and pretty easy to configure (if we talk about openswan/libreswan) and is very thoroughly documented.

[greatazfar]

IKEv2 is very important for me or other blackberry and nokia lumia users. please do support for IKEv2

[complexi]

@ValdikSS are u talking about dumm? send link to strongSwan web-interface please.

[complexi]

@dnobori - thx for the great SE package. very awesome. do you have a quick start guide on porting strongSwan to SE?

[ValdikSS]

@complexi https://wiki.strongswan.org/projects/1/wiki/Manager

do you have a quick start guide on porting strongSwan to SE?

lol

[complexi]

@ValdikSS lol indeed. thx for the strongSwan link.

[extremeshok]

IKEv2 is the default method for VPN's in windows 7.

Lack of support is causing allot of issues

[otraore]

2015 If IKEv2 isn't supported bump to support it.

[AlexCatch]

Support for IKEv2 would be good

[atik7]

+1 IKEv2

[wangkangluo1]

＋1 IKEv2

[linust]

I agree IKEv2 support would be much appreciated.

[jackivanov]

+1 IKEv2

[AlexCatch]

IKEv2 would be good for mobile applications, would open up a realm of possibility for native VPN apps for iOS.

[aenertia]

Implementing individual cert for IPSEC and OpenVPN is IMNSHO more
important.
On Jun 12, 2016 06:24, "AlexCatch" notifications@github.com wrote:

IKEv2 would be good for mobile applications, would open up a realm of
possibility for native VPN apps for iOS. I

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#13 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AARer2iSsbB6xupuA2-_78-PXl-dVOleks5qLAingaJpZM4BaQAb
.

[luckman212]

Also came here to say it would be very nice to see IKEv2 support in the SoftEther project.

[moatazelmasry2]

Yes please add IKEv2 support
+1

[rezabagh]

Yes please add IKEv2 support

[moatazelmasry2]

Hi everyone. Just to let you know I needed IPSec/IKEv1 in tunneling mode, so I'm currently working on implementing it in SoftEther and actually investing time in that. Hopefully after that I'll find time to add IKEv2, doing a port from strongswan.
Here's my code (it is a WIP)
https://github.com/moatazelmasry2/SoftEtherVPN/tree/ipsec-tunnel

So if anyone wants to help with IPSec tunneling or with IKEv2 or just need to exchange ideas, I'll be glad to talk

[isayeter]

Any update?

We can not create vpn connection on iOS programatically.

It supports only NEVPNProtocolIPSec or NEVPNProtocolIKEv2

At this point SoftEtherVPN is meanless for iOS Developers 🤒

[maks-shevchenko]

And no news on adding or hint how to make IKEv2 work with SE setup?

[ilkerc]

+1

[Brooderban]

+1 IKEv2

[shelliao]

+1 IKEv2
my vpn didn't work after Android OS upgrade to 13 , only IKEv2 supported in Android13 from the official response

[ChironShi]

+1 IKEv2

[Eletmetrix]

+1 IKEv2
definitely needed

[itsKV]

+1 IKEv2

[worldmaomao]

+1 IKEv2

[Evengard]

IKEv2 is a pretty complex standard. Using a library is probably a possibility, but I didn't find any which would be suitable for SoftEther.
StrongSwan/OpenSwan - are GPL, which wouldn't be compatible with the SoftEther license
OpenIKEv2 is written in C++, while SoftEther is pure C
And that's basically all there is. All other implementations seems to be from other languages, not even remotely compatible with SoftEther.
Implementing in-tree is possible, but requires a lot of effort and time.

[Evengard]

One way I see how this could be made is probably borrow parts of OpenIKED (https://github.com/openiked/openiked-portable). Which seems to have a compatible license. But this isn't a library, so still kinda problematic.

[mehrdadn]

StrongSwan/OpenSwan - are GPL, which wouldn't be compatible with the SoftEther license

It should be possible to sidestep that issue by letting users download & build StrongSwan/OpenSwan separately from SoftEther, right? SoftEther needs to be able to load their libraries dynamically and then call into them if they're available, but there's no need for SoftEther to actually bundle or distribute them. Would it be possible to consider this approach?

[Evengard]

@mehrdadn
I'm not a lawyer, but GPL isn't LGPL, which would allow such usage. GPL restricts even the usage of the API headers without changing the whole project license to GPL. The only reason why it works for Linux (Linux being a GPLv2 software) is because of an explicit exemption for the userland API usage - e.g. Linux uses a kind of a modified GPL.
I didn't find such an exemption for StrongSwan/OpenSwan.

[mehrdadn]

I would have thought that Google v. Oracle would have included this as fair use? Being able to replace strongSwan with a substitute is an interoperability question, and would necessarily require its headers. If a user happens to download strongSwan itself (rather than a substitute), it will work too—that's exactly what interoperability is. I'm not sure I see how this is different from that case, but I guess I'm not a lawyer either...

[Evengard]

@mehrdadn
Well, I did dig the internet for a while about using GPL libraries - the general consensus is that using a GPL library requires switching to GPL.
The Google vs Oracle case, imo, is a bit different - see, originally Oracle never restricted the usage of the Java API for the development of proprietary software (or differently-licensed software). Here this is not the case - GPL explicitely forbids it.

[mehrdadn]

@Evengard That's what the FSF and GNU advertise, but as Wikipedia mentions, it's not really the consensus. This bit is particularly noteworthy:

A Novell lawyer has written that dynamic linking not being derivative "makes sense" but is not "clear-cut", and that evidence for good-intentioned dynamic linking can be seen by the existence of proprietary Linux kernel drivers.

If we assume the FSF/GNU's prohibition on dynamic linking is correct, and that merely using the headers is a violation, then what about all these closed-source proprietary Linux kernel modules (such as from NVIDIA)? Are they illegal?

(Edit: That said though, obviously I think it's quite understandable if the project sees this as a risk, regardless of what I or others may believe about the GPL's limits.)

[pdario]

Hello, I found myself here looking for a way to connect my Android 13 phone. I understand that, for the time being, it could be done only with a third-party app: what is the suggested one at the moment? Thank you

[Evengard]

@pdario
I'm personally using VPN Client Pro but it is not free.
I'm installing on other phones https://github.com/kittoku/Open-SSTP-Client, although you may try https://github.com/kittoku/Minimum-VPN-Client-for-SoftEther-VPN.
Also, you can use any OpenVPN client as well. Or a Wireguard one.

[Ulyouth]

@pdario I'm personally using VPN Client Pro but it is not free. I'm installing on other phones https://github.com/kittoku/Open-SSTP-Client, although you may try https://github.com/kittoku/Minimum-VPN-Client-for-SoftEther-VPN. Also, you can use any OpenVPN client as well. Or a Wireguard one.

@Evengard Does VPN Client Pro support NAT traversal?

I also tried both other options, but neither work for me.

EDIT: Apparently NAT-T support was added in the beginning of 2023 so I decided to give it a shot and it works like a charm! VPN Client Pro is the way to go if you need NAT-T support.

[mehrdadn]

StrongSwan/OpenSwan - are GPL, which wouldn't be compatible with the SoftEther license

It should be possible to sidestep that issue by letting users download & build StrongSwan/OpenSwan separately from SoftEther, right? SoftEther needs to be able to load their libraries dynamically and then call into them if they're available, but there's no need for SoftEther to actually bundle or distribute them. Would it be possible to consider this approach?

I got another idea. Instead of my above suggestion, what if we added a layer of indirection as follows?

1. Design a novel and public API for IKEv2/IPsec encryption. Make the API general-purpose so it doesn't depend on any particular implementation. (i.e.: Ensure these aren't derived works, but genuinely higher-level abstractions that allow interoperability, perhaps similarly to how reverse engineering avoids violating copyright?) Release the headers publicly, under whatever license is convenient.

2. Implement support for any implementation following that API inside SoftEther, allowing it to load those libraries directly.

3. Create implementations of that API for StrongSwan and OpenSwan. The implementations would naturally be considered derivative works.

4. Release precompiled binaries (+ sources) for those implementations, under GPL licenses as required (since they're derivative works).

5. Have end-users download those binaries separately from SoftEther.

I'm not a lawyer/nothing I've said is legal advice, but as a layperson it sounds to me like this may alleviate your concern? Even if you believe compiling against GPL headers would create a derived work, this would avoid that issue, since SoftEther no longer
uses any headers (or anything else) derived from GPL libraries. It only uses headers that were released under your own license. Would that work?

[Evengard]

I never knew about that fork: https://github.com/NovaVPN/SoftEtherVPN
I may try to adapt it to the current codebase with full support, maybe, during some weekend.
Using this codebase would be a lot faster and easier to do than to write from scratch, even with all it's limitations.

[Evengard]

Good news. First, folks over at NovaVPN confirmed that their code is Apache 2.0, aka compatible with the main SoftEtherVPN codebase. Second, I started integrating it with the current codebase. That will take some time (I have problems with free time right now), but the work has started.

[AkramiPro]

Good news. First, folks over at NovaVPN confirmed that their code is Apache 2.0, aka compatible with the main SoftEtherVPN codebase. Second, I started integrating it with the current codebase. That will take some time (I have problems with free time right now), but the work has started.

hi, any news?

[Evengard]

I have problems with time lately. The implementation is far from complete, as it's lacking authorization. I'll get back to that as soon as I find time...

[vantablack333]

Why is this still not resolved after 10 (!) years? Also, I used Openvpn connect app as a workaround with sample config exported from Windows client to connect to my VPN on Android 13.

[chipitsine]

Why is this still not resolved after 10 (!) years? Also, I used Openvpn connect app as a workaround with sample config exported from Windows client to connect to my VPN on Android 13.

@Evengard , your turn )) since you have an appetite for backporting NovaVPN , what can improve your progress ?

@vantablack333 , btw, we accept pull requests.

[Evengard]

Yeah, sorry for that. I started doing it, but stumbled upon the fact that in the NordVPN code the authentication wasn't implemented at all. It does use EAP auth, so I started to refactor that from the PPP code to reuse it here, but was too busy lately to keep working on that.