From owner-freebsd-hackers@freebsd.org  Mon Apr 22 19:54:04 2019
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 45113158120F
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Mon, 22 Apr 2019 19:54:04 +0000 (UTC)
 (envelope-from wojtek@puchar.net)
Received: from puchar.net (puchar.net [194.1.144.90])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 11756746EA
 for <freebsd-hackers@freebsd.org>; Mon, 22 Apr 2019 19:54:02 +0000 (UTC)
 (envelope-from wojtek@puchar.net)
Received: Received: from 127.0.0.1 (localhost [127.0.0.1])
 by puchar.net (8.15.2/8.15.2) with ESMTPS id x3MJrjtt030260
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Mon, 22 Apr 2019 21:53:45 +0200 (CEST)
 (envelope-from puchar-wojtek@puchar.net)
Received: from localhost (puchar-wojtek@localhost)
 by puchar.net (8.15.2/8.15.2/Submit) with ESMTP id x3MJrjiu030257;
 Mon, 22 Apr 2019 21:53:45 +0200 (CEST)
 (envelope-from puchar-wojtek@puchar.net)
Date: Mon, 22 Apr 2019 21:53:45 +0200 (CEST)
From: Wojciech Puchar <wojtek@puchar.net>
To: Louis Kowolowski <louisk@cryptomonkeys.org>
cc: Wojciech Puchar <wojtek@puchar.net>, Eugene Grosbein <eugen@grosbein.net>, 
 freebsd-hackers@freebsd.org
Subject: Re: openvpn and system overhead
In-Reply-To: <25566D0F-72DF-4EF1-8900-8DD611D03B33@cryptomonkeys.org>
Message-ID: <alpine.BSF.2.20.1904222153110.30142@puchar.net>
References: <alpine.BSF.2.20.1904171707030.87502@puchar.net>
 <0cc6e0ac-a9a6-a462-3a1e-bfccfd41e138@grosbein.net>
 <alpine.BSF.2.20.1904191841200.44949@puchar.net>
 <5CBAB88C.4020402@grosbein.net>
 <alpine.BSF.2.20.1904221731560.76479@puchar.net>
 <25566D0F-72DF-4EF1-8900-8DD611D03B33@cryptomonkeys.org>
User-Agent: Alpine 2.20 (BSF 67 2015-01-07)
MIME-Version: 1.0
X-Rspamd-Queue-Id: 11756746EA
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
 spf=pass (mx1.freebsd.org: domain of wojtek@puchar.net designates 194.1.144.90
 as permitted sender) smtp.mailfrom=wojtek@puchar.net
X-Spamd-Result: default: False [-5.68 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+mx];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.10)[multipart/mixed,text/plain];
 RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[puchar.net];
 TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[puchar.net];
 CTYPE_MIXED_BOGUS(1.00)[];
 RCVD_IN_DNSWL_NONE(0.00)[90.144.1.194.list.dnswl.org : 127.0.10.0];
 NEURAL_HAM_SHORT(-0.87)[-0.871,0];
 IP_SCORE(-3.50)[ip: (-9.25), ipnet: 194.1.144.0/24(-4.63), asn: 43476(-3.70),
 country: PL(0.07)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+];
 ASN(0.00)[asn:43476, ipnet:194.1.144.0/24, country:PL];
 MID_RHS_MATCH_FROM(0.00)[]
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 8BIT
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Apr 2019 19:54:04 -0000

>       can IPSEC VPN work over nat? even freebsd-freebsd case.
>
>       I cannot find any tutorial how to do this.
> 
> 
> -ishYou must forward udp/4500 to the host and IPSec will negotiate a tunnel successfully.
usually i cannot do it when being over nat that isn't under my control
From owner-freebsd-hackers@freebsd.org  Tue Apr 23 03:02:40 2019
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3995D158B515
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Tue, 23 Apr 2019 03:02:40 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13::5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "eg.sd.rdtc.ru", Issuer "eg.sd.rdtc.ru" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 336078B12C
 for <freebsd-hackers@freebsd.org>; Tue, 23 Apr 2019 03:02:28 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: freebsd-hackers@freebsd.org
Received: from eg.sd.rdtc.ru (eugen@localhost [127.0.0.1])
 by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTP id x3N32JB6006038;
 Tue, 23 Apr 2019 10:02:19 +0700 (+07)
 (envelope-from eugen@grosbein.net)
Subject: Re: openvpn and system overhead
To: Wojciech Puchar <wojtek@puchar.net>
References: <alpine.BSF.2.20.1904171707030.87502@puchar.net>
 <0cc6e0ac-a9a6-a462-3a1e-bfccfd41e138@grosbein.net>
 <alpine.BSF.2.20.1904191841200.44949@puchar.net>
 <5CBAB88C.4020402@grosbein.net>
 <alpine.BSF.2.20.1904221731560.76479@puchar.net>
Cc: freebsd-hackers@freebsd.org
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <5CBE803B.8060505@grosbein.net>
Date: Tue, 23 Apr 2019 10:02:19 +0700
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101
 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <alpine.BSF.2.20.1904221731560.76479@puchar.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 336078B12C
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org;
 spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism
 not recognized by this client) smtp.mailfrom=eugen@grosbein.net
X-Spamd-Result: default: False [0.15 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.38)[-0.382,0];
 MX_INVALID(0.50)[greylisted]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.43)[0.429,0];
 NEURAL_HAM_LONG(-0.30)[-0.298,0]; MIME_GOOD(-0.10)[text/plain];
 RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[grosbein.net];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_PERMFAIL(0.00)[];
 RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(0.00)[country: RU(0.00)];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:29072, ipnet:2a03:3100::/32, country:RU];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2019 03:02:40 -0000

On 22.04.2019 22:32, Wojciech Puchar wrote:
>>> well it has to cooperate with multitude of clients like windoze,
>>> point&click routers etc. that's why openvpn.
>>
>> Windows has stock support for IPSec with and without L2TP and has no stock openvpn, so IPSec is more preferable.
> 
> can IPSEC VPN work over nat? even freebsd-freebsd case.
> 
> I cannot find any tutorial how to do this.

FreeBSD 11.1 and later supports IPSec NAT Traversal out-of-the-box.