From owner-freebsd-net@freebsd.org Sun Nov 19 16:05:00 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B639FDB8B4F for ; Sun, 19 Nov 2017 16:05:00 +0000 (UTC) (envelope-from emss.mail@gmail.com) Received: from mail-wr0-x232.google.com (mail-wr0-x232.google.com [IPv6:2a00:1450:400c:c0c::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3CCEF7D9C6 for ; Sun, 19 Nov 2017 16:05:00 +0000 (UTC) (envelope-from emss.mail@gmail.com) Received: by mail-wr0-x232.google.com with SMTP id z75so4631115wrc.5 for ; Sun, 19 Nov 2017 08:05:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:in-reply-to:references:user-agent:date :message-id:mime-version:content-transfer-encoding; bh=hTYDbdxsDHM35gvsSHnR0YdUtLD2sOTGoCRg8uAYjMQ=; b=PED6+4sRUn2yuxhkwhs2b28GKTTOLvHkXn3b/b7oAQTQoR95lOvxr69xN0vjNJZN1N wGAlQFwKP+opj+XArilb0+HQqUFqabXIEBqfVyQSQ4O+uN8WTL+g7+0Z4KQYSEM1f/7A kMSrzi0QyP1nZuYebSLnNoGDK0YM62wLvTCf2TTE0k3lpBDaNPlnrMUKPWGAyQu2f1Gd WtoaAMGygbD3W6/0mtL+SzWUulMuKltLgvYCMgfThd49bO6ZVAABtJYdtPhKEIJ9yDHN PF/yKELdh60/5Uuvdb5DSyVPdmROYWjnoJtiAq3cxIAMDoM9WIr5kBJRi0SZsnh9s2K+ iigQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:in-reply-to:references :user-agent:date:message-id:mime-version:content-transfer-encoding; bh=hTYDbdxsDHM35gvsSHnR0YdUtLD2sOTGoCRg8uAYjMQ=; b=HoXWsIuhaZjInAah6hgLPnhDyWoWEr9XMTLZ3KfzOlpnmHha5hIqWxv6Aq5VT+beul 4IyEasW+6VSXC4qdBRixr0T/3QlcVM2sxGHX5Ydoan/9eslSDO6H3K/KZdC2+XFx3YII oUszWE2caho+dw3WlkTVpheKMU8taEBKdhY+rDVNAj92psTn2hwTuDRvBh1UaXeLOEIg 4nfYwcjnTChcLGuYauXrg3J/pTsLvmX3TcOUYYeUZhDQ935tbBTWPBgYcahov/ncUh2z rT3f9IQfDzf5eKcmQ/XvLF6BN6dm5ah6sGzAhgjR+coV3GoGQ9Nc0j5rbh8KZDCGokXl c1ug== X-Gm-Message-State: AJaThX6Aqa/Jy29XjGs0gfv981q5JGTCT7FWuRAKJDnwWDrwNLUviOD2 GJptQPeqSyxOGPKj0/BiZnZYrw== X-Google-Smtp-Source: AGs4zMa/x0hwbj7KLzMGSnsm5Lma2Pk9meBotLVoKP33eAZiylTPhwvdPD3PS9WgvE+YHOUeo9dg9Q== X-Received: by 10.223.199.70 with SMTP id b6mr204606wrh.25.1511107497459; Sun, 19 Nov 2017 08:04:57 -0800 (PST) Received: from srvbsdfenssv.interne.associated-bears.org (LStLambert-658-1-110-48.w217-128.abo.wanadoo.fr. [217.128.200.48]) by smtp.gmail.com with ESMTPSA id f132sm383333wmf.17.2017.11.19.08.04.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 19 Nov 2017 08:04:56 -0800 (PST) Sender: Eric Masson Received: from newsrv.interne.associated-bears.org (localhost [127.0.0.1]) by srvbsdfenssv.interne.associated-bears.org (Postfix) with ESMTP id BCFEF2795; Sun, 19 Nov 2017 17:04:55 +0100 (CET) X-Virus-Scanned: amavisd-new at interne.associated-bears.org Received: from srvbsdfenssv.interne.associated-bears.org ([127.0.0.1]) by newsrv.interne.associated-bears.org (newsrv.interne.associated-bears.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 72o5AdJJOHAD; Sun, 19 Nov 2017 17:04:54 +0100 (CET) Received: by srvbsdfenssv.interne.associated-bears.org (Postfix, from userid 1001) id 6F0A82790; Sun, 19 Nov 2017 17:04:54 +0100 (CET) From: Eric Masson To: Victor Sudakov Cc: freebsd-net@freebsd.org, Jim Thompson , "Muenz\, Michael" Subject: Re: OpenVPN vs IPSec In-Reply-To: <20171119145116.GE82727@admin.sibptus.transneft.ru> (Victor Sudakov's message of "Sun, 19 Nov 2017 21:51:16 +0700") References: <20171118165842.GA73810@admin.sibptus.transneft.ru> <20171119120832.GA82727@admin.sibptus.transneft.ru> <86o9nytmma.fsf@newsrv.interne.associated-bears.org> <20171119145116.GE82727@admin.sibptus.transneft.ru> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (berkeley-unix) X-Operating-System: FreeBSD 11.1-STABLE amd64 Date: Sun, 19 Nov 2017 17:04:54 +0100 Message-ID: <86k1ymtftl.fsf@newsrv.interne.associated-bears.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Nov 2017 16:05:00 -0000 Victor Sudakov writes: Hi, > That is, if you use kernel IPsec. But StrongSwan is completely > userland AFAIK. Nope, StrongSwan provides a userland ipsec stack but clearly states it's not intended to be used on security gateways. Its typical use case is when the kernel stack misses a required algorithm. > And the kernel IPsec implementation has had problems with NAT > traveral. Does it stil have problems and requre extra patches for NAT > traveral? Seems to me no patch has been required for a long time. ipsec is even now enabled in GENERIC and has no performance impact when not used (thanks to bz@). > Maybe I'm indeed the faulty layer between keyboard and chair, but > FreeBSD+IPsec+L2TP is still beyond me. Pure IPsec is fine more or > less with me. ipsec works fine, L2TP/ipsec is somewhat more convoluted. racoon needs 2 patches from what I've read here : https://forums.freebsd.org/threads/26755/ As I've now switched my gateways to LEDE/OpenWRT, I no longer toy with this kind of setup on FreeBSD. -- Les L*n*x**ns sont par définition des nioubies, biscotte on buvait déjà de la Guiness autour de trucs BSD alors que la pingouinade n'était même pas une lueur lubrique dans le regard de Linus T. -+- FYlG in : Gouin gouin les pingouins -+-