From owner-freebsd-net@freebsd.org Wed Sep 23 03:03:46 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6F303A07072 for ; Wed, 23 Sep 2015 03:03:46 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from relay2.tomsk.ru (mail.sibptus.tomsk.ru [212.73.124.5]) by mx1.freebsd.org (Postfix) with ESMTP id D2E561186 for ; Wed, 23 Sep 2015 03:03:44 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) X-Virus-Scanned: by clamd daemon 0.98.5_1 for FreeBSD at relay2.tomsk.ru Received: from admin.sibptus.TOMSK.ru ([212.73.125.240] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.16) with ESMTPS id 38873119; Wed, 23 Sep 2015 09:03:43 +0600 Received: from admin.sibptus.TOMSK.ru (sudakov@localhost [127.0.0.1]) by admin.sibptus.TOMSK.ru (8.14.9/8.14.7) with ESMTP id t8N33eLb005164; Wed, 23 Sep 2015 09:03:41 +0600 (NOVT) (envelope-from vas@mpeks.tomsk.su) Received: (from sudakov@localhost) by admin.sibptus.TOMSK.ru (8.14.9/8.14.7/Submit) id t8N33eme005163; Wed, 23 Sep 2015 09:03:40 +0600 (NOVT) (envelope-from vas@mpeks.tomsk.su) X-Authentication-Warning: admin.sibptus.TOMSK.ru: sudakov set sender to vas@mpeks.tomsk.su using -f Date: Wed, 23 Sep 2015 09:03:40 +0600 From: Victor Sudakov To: Larry Baird , freebsd-net@freebsd.org Subject: Re: transport mode IPSec with Windows 7, static keys Message-ID: <20150923030340.GB4556@admin.sibptus.tomsk.ru> References: <115822.44131.97331@localhost> <20150922144246.61965.qmail@mailgate.gta.com> <20150922151003.GA98507@admin.sibptus.tomsk.ru> <20150922163845.GB82457@gta.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150922163845.GB82457@gta.com> Organization: OAO "Svyaztransneft", SibPTUS X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Sep 2015 03:03:46 -0000 Larry Baird wrote: > > > I use IKE when I have to, but would like to use static keys with > > Windows specifically, or at least would like to definitely know if it > > is at all possible or not. > Static keys are too weak from a security stand point. I can imagine situations where static keys are sufficient, or may present a lesser risk than installing third party VPN solutions on Windows. > I have never tried > to configure them on Windows. Sorry I can't help. I configured them between FreeBSD and Cisco, as well as two FreeBSD hosts. The main problem with Windows is that it can have only one key both for encryption and authentication, while setkey requires two different keys to be of different lengths, which is kinda difficult to set up with setkey. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru