Date: Sat, 11 Jan 2020 12:14:35 +0100 From: Michael Grimm <trashcan@ellael.org> To: freebsd-questions@freebsd.org, FreeBSD <freebsd-ports@FreeBSD.org> Cc: Victor Sudakov <vas@sibptus.ru> Subject: Re: replacement of security/ipsec-tools Message-ID: <F8F2CB6D-FF7D-4EB0-A7F1-A0442A674FC0@ellael.org> In-Reply-To: <20200110035009.GB67842@admin.sibptus.ru> References: <50378AC0-0A0A-4E33-961F-3D180987A8C1@ellael.org> <20200110035009.GB67842@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Victor Sudakov <vas@sibptus.ru> wrote: > Michael Grimm wrote: First of all, I'd like to thank all of you for your input, which helped = a lot. >> I am running ipsec-tools to implement a VPN tunnel (esp) between two = hosts for years now. >>=20 >> But this statement on http://ipsec-tools.sourceforge.net makes me = think about an alternative: >> The development of ipsec-tools has been ABANDONED.=20 >> ipsec-tools has security issues, and you should not use it. = Please switch to a secure alternative!=20 >>=20 >> Could you provide me with links where I could find more details about = the above mentioned 'security issues'? I want to find out, if my = specific setup has security issues at all. Thanks. Well, now I do know that security patches have been applied to = security/ipsec-tools. Thus one can ignore "Please switch to a secure = alternative!" >> What would be a secure alternative if one is needed?=20 >> #) security/racoon2 >> #) security/strongswan >> #) something else? >=20 > There was also security/isakmpd but is marked as BROKEN now. >=20 > I've been told that strongswan works on FreeBSD. I've tried installing > strongswan, but it looks too complex and tricky in comparison with > racoon. >=20 > If you ever find good documentation/howto for strongswan on FreeBSD, > please share with me. Sorry, but I never tried strongswan as a replacement, mainly due to the = reasons you mentioned as well: I couldn't get it running. Thus I used = racoon instead. Kurt mentioned wireguard. I could get the tunnel running, but I failed = in getting the routing at both sites running (in my preliminary tests). Then this mail made my day: >> What do I need? >> #) a VPN tunnel between two hosts >> #) both local networks reachable from the remote host >=20 > That is what kernel IPSec is for, you can even do it on static keys > without any ISAKMP daemon like racoon. See an example in if_ipsec(4). I did install my IPSEC/racoon tunnel many years ago and missed the = recent implementation of if_ipsec completely.=20 Victor, thank you very, very much for pointing me to this interface. = Now, my tunnel is far less complicated to implement[1], and I will no = longer need security/ipsec-tools at all!=20 [1] Following if_ipsec(4) and = https://github.com/opnsense/core/issues/2332#issuecomment-379181820, = because the example with "right" and "left" notation helped to = understand if_ipsec(4) better (for me). Thanks and regards, Michael=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F8F2CB6D-FF7D-4EB0-A7F1-A0442A674FC0>