Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 11 Jan 2020 12:14:35 +0100
From:      Michael Grimm <trashcan@ellael.org>
To:        freebsd-questions@freebsd.org, FreeBSD <freebsd-ports@FreeBSD.org>
Cc:        Victor Sudakov <vas@sibptus.ru>
Subject:   Re: replacement of security/ipsec-tools
Message-ID:  <F8F2CB6D-FF7D-4EB0-A7F1-A0442A674FC0@ellael.org>
In-Reply-To: <20200110035009.GB67842@admin.sibptus.ru>
References:  <50378AC0-0A0A-4E33-961F-3D180987A8C1@ellael.org> <20200110035009.GB67842@admin.sibptus.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
Victor Sudakov <vas@sibptus.ru> wrote:
> Michael Grimm wrote:

First of all, I'd like to thank all of you for your input, which helped =
a lot.

>> I am running ipsec-tools to implement a VPN tunnel (esp) between two =
hosts for years now.
>>=20
>> But this statement on http://ipsec-tools.sourceforge.net makes me =
think about an alternative:
>> 	The development of ipsec-tools has been ABANDONED.=20
>> 	ipsec-tools has security issues, and you should not use it. =
Please switch to a secure alternative!=20
>>=20
>> Could you provide me with links where I could find more details about =
the above mentioned 'security issues'? I want to find out, if my =
specific setup has security issues at all. Thanks.

Well, now I do know that security patches have been applied to =
security/ipsec-tools. Thus one can ignore "Please switch to a secure =
alternative!"

>> What would be a secure alternative if one is needed?=20
>> 	#) security/racoon2
>> 	#) security/strongswan
>> 	#) something else?
>=20
> There was also security/isakmpd but is marked as BROKEN now.
>=20
> I've been told that strongswan works on FreeBSD. I've tried installing
> strongswan, but it looks too complex and tricky in comparison with
> racoon.
>=20
> If you ever find good documentation/howto  for strongswan on FreeBSD,
> please share with me.

Sorry, but I never tried strongswan as a replacement, mainly due to the =
reasons you mentioned as well: I couldn't get it running. Thus I used =
racoon instead.

Kurt mentioned wireguard. I could get the tunnel running, but I failed =
in getting the routing at both sites running (in my preliminary tests).

Then this mail made my day:

>> What do I need?
>> 	#) a VPN tunnel between two hosts
>> 	#) both local networks reachable from the remote host
>=20
> That is what kernel IPSec is for, you can even do it on static keys
> without any ISAKMP daemon like racoon. See an example in if_ipsec(4).

I did install my IPSEC/racoon tunnel many years ago and missed the =
recent implementation of if_ipsec completely.=20

Victor, thank you very, very much for pointing me to this interface. =
Now, my tunnel is far less complicated to implement[1], and I will no =
longer need security/ipsec-tools at all!=20

[1] Following if_ipsec(4) and =
https://github.com/opnsense/core/issues/2332#issuecomment-379181820, =
because the example with "right" and "left" notation helped to =
understand if_ipsec(4) better (for me).

Thanks and regards,
Michael=20





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F8F2CB6D-FF7D-4EB0-A7F1-A0442A674FC0>