From owner-freebsd-net@FreeBSD.ORG Thu Dec 29 11:24:42 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9645316A41F for ; Thu, 29 Dec 2005 11:24:42 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from smtp4.mail.easynet.fr (smarthost174.mail.easynet.fr [212.180.1.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id 715B443D72 for ; Thu, 29 Dec 2005 11:24:32 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233] helo=smtp.zeninc.net) by smtp4.mail.easynet.fr with esmtp (Exim 4.50) id 1Ervty-000540-Iy; Thu, 29 Dec 2005 12:24:58 +0100 Received: by smtp.zeninc.net (smtpd, from userid 1000) id 3D42F3F17; Thu, 29 Dec 2005 12:24:14 +0100 (CET) Date: Thu, 29 Dec 2005 12:24:14 +0100 From: VANHULLEBUS Yvan To: Alexey Popov Message-ID: <20051229112414.GA1257@zen.inc> References: <20051228143817.GA6898@uk.tiscali.com> <001401c60bc0$a3c87e90$1200a8c0@gsicomp.on.ca> <20051228153106.GA7041@uk.tiscali.com> <20051228164339.GB3875@zen.inc> <43B38747.1060906@iteranet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43B38747.1060906@iteranet.com> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org, Brian Candler Subject: Re: IPSEC documentation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2005 11:24:42 -0000 On Thu, Dec 29, 2005 at 09:50:47AM +0300, Alexey Popov wrote: > Hi. > > VANHULLEBUS Yvan wrote: > >>- L2TP + IPSEC transport mode (= Windows road warrier) > >Did someone tried such a setup ? > >is there a L2TPD daemon running on FreeBSD which could be used for > >that ? > I'm successfully using security/racoon and net/sl2tps with Windows > XP/2003 L2TP clients. I've tried pre-shared key as well as X.509 > certificates auth. Interesting, I'll try to play with that ! > >Note also that, for now, this won't work easily, as it will require > >dynamic SP entries (roadwarriors....), but I think racoon currently > >can't deal with dynamic policies when ports specified (I'll check > >that). > racoon has passive_mode option. When it is enabled, racoon can create > SPD entries for road warriors. Not exactly: generating policies works when racoon is responder (so passive_mode is just a safety check). And I was just talking about potential complex bundles (don't remember exactly what windows sends for phase2, but I think first proposals are AH+ESP, which will cause problem for generating policies with actual racoon's versions) and about policies with ports only (but perhaps I only had some problems with complex bundles when I had a quick look at such negociations). > If we would also have NAT-T support, FreeBSD would be the best choice > of VPN concentrator. Ipsec-tools port is set to natt "kernel autodetect", and I already have a working patch for FreeBSD6 (http://ipsec-tools.sf.net/freebsd6-natt.diff), which will need some more work (cleaner way of detecting kernel NAT-T support, sync with recent NetBSD devels, port to FAST-IPSEC, etc...), which are all on my (very busy) TODO list. Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com