Date: Sat, 11 Jan 2020 16:35:34 +0300 From: Victor Gamov <vit@otcnet.ru> To: freebsd-questions@freebsd.org Subject: Re: replacement of security/ipsec-tools Message-ID: <04c75aaa-d844-2ddc-a437-e2bcab2a7b22@otcnet.ru> In-Reply-To: <20200110035009.GB67842@admin.sibptus.ru> References: <50378AC0-0A0A-4E33-961F-3D180987A8C1@ellael.org> <20200110035009.GB67842@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
I successfully use strongswan about 2 years to connect FreeBSD-FreeBSD and FreeBSD-Cisco Configuration is simple: ===== /usr/local/stc/rc.conf.d/netif/ipec2001: cloned_interfaces="$cloned_interfaces ipsec2001" create_args_ipsec2001="reqid 2001" ifconfig_ipsec2001="inet 10.10.01.2 10.10.01.3 netmask 255.255.255.254 tunnel <local_WAN_ip> <remote_WAN_ip> up" ===== ===== /usr/local/etc/ipsec.conf conn tmpl_AES256_SHA256 left = <local_WAN_ip> leftsubnet = 0.0.0.0/0 rightsubnet = 0.0.0.0/0 authby = psk keyexchange = ikev1 ike = aes256-sha256-modp2048 esp = aes256-sha256 ikelifetime = 28800 mobike = no installpolicy = no lifetime = 3600 auto = start conn REMOTE1 right = <remote_WAN_ip> reqid = 2001 also = tmpl_AES256_SHA256 ===== ===== /usr/local/etc/ipsec.secrets <remote_WAN_ip> <local_WAN_ip> : PSK "super-secret-PSK" ===== On 10/01/2020 06:50, Victor Sudakov wrote: > Michael Grimm wrote: >> [X-posted, please chose the relevant ML for such a thread] >> >> Hi, >> >> I am running ipsec-tools to implement a VPN tunnel (esp) between >> two hosts for years now. >> >> But this statement on http://ipsec-tools.sourceforge.net makes me >> think about an alternative: The development of ipsec-tools has been >> ABANDONED. ipsec-tools has security issues, and you should not use >> it. Please switch to a secure alternative! >> >> Could you provide me with links where I could find more details >> about the above mentioned 'security issues'? I want to find out, if >> my specific setup has security issues at all. Thanks. >> >> What would be a secure alternative if one is needed? #) >> security/racoon2 #) security/strongswan #) something else? > > There was also security/isakmpd but is marked as BROKEN now. > > I've been told that strongswan works on FreeBSD. I've tried > installing strongswan, but it looks too complex and tricky in > comparison with racoon. > > If you ever find good documentation/howto for strongswan on > FreeBSD, please share with me. > >> >> What do I need? #) a VPN tunnel between two hosts #) both local >> networks reachable from the remote host > > That is what kernel IPSec is for, you can even do it on static keys > without any ISAKMP daemon like racoon. See an example in > if_ipsec(4). > -- CU, Victor Gamov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?04c75aaa-d844-2ddc-a437-e2bcab2a7b22>