From owner-freebsd-questions@freebsd.org  Fri Jan 10 03:50:11 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5E632222B38
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Fri, 10 Jan 2020 03:50:11 +0000 (UTC) (envelope-from vas@sibptus.ru)
Received: from admin.sibptus.ru (admin.sibptus.ru
 [IPv6:2001:19f0:5001:21dc::10])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 47v8Bp3K1Nz47VR
 for <freebsd-questions@freebsd.org>; Fri, 10 Jan 2020 03:50:10 +0000 (UTC)
 (envelope-from vas@sibptus.ru)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; 
 s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date;
 bh=gAbA3h5mXns3aA4RcVJqz6W5uZSlSAuv0S+AEfNUU20=; b=CF3ygSbBsrgGyFwWhYNZ+lep4f
 GhZBSU0XmwyvmnOdt/kXJg4VmYeOAtqKDriohupBucLlwLuOpVD3fP4DMdx4U9H+5IGE89N4eIO6p
 j9I87jjEp5BbQs6ty7qaWUm7ACujdrw8vU17S+ab8ChelWzDSbLyWXPq3E9+xOiA6EBw=;
Received: from vas by admin.sibptus.ru with local (Exim 4.92.3 (FreeBSD))
 (envelope-from <vas@sibptus.ru>) id 1iplJJ-000IJ9-37
 for freebsd-questions@freebsd.org; Fri, 10 Jan 2020 10:50:09 +0700
Date: Fri, 10 Jan 2020 10:50:09 +0700
From: Victor Sudakov <vas@sibptus.ru>
To: freebsd-questions@freebsd.org
Subject: Re: replacement of security/ipsec-tools
Message-ID: <20200110035009.GB67842@admin.sibptus.ru>
References: <50378AC0-0A0A-4E33-961F-3D180987A8C1@ellael.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature"; boundary="mxv5cy4qt+RJ9ypb"
Content-Disposition: inline
In-Reply-To: <50378AC0-0A0A-4E33-961F-3D180987A8C1@ellael.org>
X-PGP-Key: http://admin.sibptus.ru/~vas/
X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9  3532 0DA4 F259 9B5E C634
X-Rspamd-Queue-Id: 47v8Bp3K1Nz47VR
X-Spamd-Bar: --------
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=sibptus.ru header.s=20181118 header.b=CF3ygSbB;
 dmarc=pass (policy=none) header.from=sibptus.ru;
 spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates
 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru
X-Spamd-Result: default: False [-8.38 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118];
 FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c];
 TO_MATCH_ENVRCPT_ALL(0.00)[];
 MIME_GOOD(-0.20)[multipart/signed,text/plain];
 TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 RCPT_COUNT_ONE(0.00)[1];
 IP_SCORE(-3.28)[ip: (-9.88), ipnet: 2001:19f0:5000::/38(-4.94), asn:
 20473(-1.50), country: US(-0.05)]; 
 DKIM_TRACE(0.00)[sibptus.ru:+];
 DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none];
 SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[];
 ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2020 03:50:11 -0000


--mxv5cy4qt+RJ9ypb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Michael Grimm wrote:
> [X-posted, please chose the relevant ML for such a thread]
>=20
> Hi,
>=20
> I am running ipsec-tools to implement a VPN tunnel (esp) between two host=
s for years now.
>=20
> But this statement on http://ipsec-tools.sourceforge.net makes me think a=
bout an alternative:
> 	The development of ipsec-tools has been ABANDONED.=20
> 	ipsec-tools has security issues, and you should not use it. Please switc=
h to a secure alternative!=20
>=20
> Could you provide me with links where I could find more details about the=
 above mentioned 'security issues'? I want to find out, if my specific setu=
p has security issues at all. Thanks.
>=20
> What would be a secure alternative if one is needed?=20
> 	#) security/racoon2
> 	#) security/strongswan
> 	#) something else?

There was also security/isakmpd but is marked as BROKEN now.

I've been told that strongswan works on FreeBSD. I've tried installing
strongswan, but it looks too complex and tricky in comparison with
racoon.

If you ever find good documentation/howto  for strongswan on FreeBSD,
please share with me.

>=20
> What do I need?
> 	#) a VPN tunnel between two hosts
> 	#) both local networks reachable from the remote host

That is what kernel IPSec is for, you can even do it on static keys
without any ISAKMP daemon like racoon. See an example in if_ipsec(4).

--=20
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

--mxv5cy4qt+RJ9ypb
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJeF/RxAAoJEA2k8lmbXsY09CgH/Rxr25IH/4E6Ckm7OMbuKo4s
8tE0RqQ/VVivGh88n3t9kcfecv8wKpj/FIospjXbZmNRgG5cXHU0z/jD9Y5z0h/f
BqNZIRxEOBryvdB0U9NFFLI9lJlqxPXBRlesUxRAittojLvjDi2jCXQigmmLUma/
g3itSpbAaLUlyQV0uGtT+6fQvlOInoPNKaI4hHU8fRX36YRk3yfs8OHxJL29OBz0
K+7kIL06xrvU4og+uKxL+mxqPZYvqoTB4SIthCMeBIA2dYAOSQjo4cOHxPZCQkVA
vk1/23wA6pF7zUljC9xxVi96MxvydV6o3amav31Tu2BXC/XXZleLJnop3TgaJhc=
=IYIF
-----END PGP SIGNATURE-----

--mxv5cy4qt+RJ9ypb--