From owner-freebsd-net@freebsd.org  Sun Nov 19 15:25:49 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6CA2D947D3
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sun, 19 Nov 2017 15:25:49 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 665107C523
 for <freebsd-net@freebsd.org>; Sun, 19 Nov 2017 15:25:48 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be
 forged))
 by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id vAJFPhtL082610
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Sun, 19 Nov 2017 16:25:44 +0100 (CET)
 (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: vas@mpeks.tomsk.su
Received: from [10.58.0.4] ([10.58.0.4])
 by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id vAJFPdim052256
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
 Sun, 19 Nov 2017 22:25:39 +0700 (+07)
 (envelope-from eugen@grosbein.net)
Subject: Re: OpenVPN vs IPSec
To: Victor Sudakov <vas@mpeks.tomsk.su>
References: <20171118165842.GA73810@admin.sibptus.transneft.ru>
 <5A1073E9.5050503@grosbein.net>
 <20171119142015.GB82727@admin.sibptus.transneft.ru>
 <5A119BD2.7070703@grosbein.net>
 <20171119151416.GI82727@admin.sibptus.transneft.ru>
Cc: freebsd-net@freebsd.org
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <5A11A270.60006@grosbein.net>
Date: Sun, 19 Nov 2017 22:25:36 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <20171119151416.GI82727@admin.sibptus.transneft.ru>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00, LOCAL_FROM, RDNS_NONE
 autolearn=no autolearn_force=no version=3.4.1
X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000] *  2.6 LOCAL_FROM From my domains
 *  1.9 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Nov 2017 15:25:50 -0000

19.11.2017 22:14, Victor Sudakov wrote:

>> There is also if_ipsec(4), too.
> 
> Oh, I forgot about this recent addition. It was a really good design
> idea, thank you for reminding me. 
> 
> I now even remember discussing it with Andrey in his LJ and suggesting
> a small cosmetic feature which he implemented by my request.
> 
> Have you tried in in production? What does it do to the MTU?

I've not tried if_ipsec yet. I'm still fine with older ways to "cook" IPSEC :-)

> And what does it look like (both shared secret and login/password)
> from the point of view of a Windows/Mac client?

They all have corresponding fields in their GUI to enter these parameters
and then it just works.

>> You can find my letter to RU.UNIX.BSD of Juny 20 with subject "Re: STABLE+IPSEC"
>> describing this setup.
> 
> May I ask you kindly to publish a howto in your LJ?

I have some problems with LJ after they moved their servers, so do not expect that soon.
However, there is almost nothing special to share. Just use software in most simple way :-)
It finally works these days just how it supposed to do from the beginning.