From owner-freebsd-ports@freebsd.org Sat Jan 11 11:21:05 2020 Return-Path: Delivered-To: freebsd-ports@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C6A60225DE1; Sat, 11 Jan 2020 11:21:05 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from mx2.enfer-du-nord.net (mx2.enfer-du-nord.net [87.98.149.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47vy8c71d0z3RK2; Sat, 11 Jan 2020 11:21:04 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from [IPv6:2003:fb:4f0a:6c01:e934:fbc9:fc77:2a2d] (p200300FB4F0A6C01E934FBC9FC772A2D.dip0.t-ipconnect.de [IPv6:2003:fb:4f0a:6c01:e934:fbc9:fc77:2a2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx2.enfer-du-nord.net (Postfix) with ESMTPSA id 47vy195txwz13lQ; Sat, 11 Jan 2020 12:14:37 +0100 (CET) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.102.1 at mail.enfer-du-nord.net Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: replacement of security/ipsec-tools From: Michael Grimm In-Reply-To: <20200110035009.GB67842@admin.sibptus.ru> Date: Sat, 11 Jan 2020 12:14:35 +0100 Cc: Victor Sudakov Content-Transfer-Encoding: quoted-printable Message-Id: References: <50378AC0-0A0A-4E33-961F-3D180987A8C1@ellael.org> <20200110035009.GB67842@admin.sibptus.ru> To: freebsd-questions@freebsd.org, FreeBSD X-Mailer: Apple Mail (2.3445.104.11) X-Spam-Status: No, score=0.4 required=5.0 tests=BAYES_00,HELO_NO_DOMAIN, KHOP_HELO_FCRDNS,RDNS_DYNAMIC,SPF_NONE autolearn=no autolearn_force=no version=3.4.3 X-Spam-Checker-Version: SpamAssassin 3.4.3 (2019-12-06) on mail.kaan-bock.lan X-Rspamd-Queue-Id: 47vy8c71d0z3RK2 X-Spamd-Bar: ++++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of trashcan@ellael.org has no SPF policy when checking 87.98.149.189) smtp.mailfrom=trashcan@ellael.org X-Spamd-Result: default: False [6.04 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; GREYLIST(0.00)[pass,body]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[ellael.org]; AUTH_NA(1.00)[]; RBL_MAILSPIKE_WORST(2.00)[189.149.98.87.rep.mailspike.net : 127.0.0.10]; NEURAL_SPAM_MEDIUM(1.00)[0.999,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; IP_SCORE(0.64)[ipnet: 87.98.128.0/17(1.12), asn: 16276(2.06), country: FR(0.00)]; NEURAL_SPAM_LONG(1.00)[1.000,0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:16276, ipnet:87.98.128.0/17, country:FR]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Spam: Yes X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Jan 2020 11:21:05 -0000 Victor Sudakov wrote: > Michael Grimm wrote: First of all, I'd like to thank all of you for your input, which helped = a lot. >> I am running ipsec-tools to implement a VPN tunnel (esp) between two = hosts for years now. >>=20 >> But this statement on http://ipsec-tools.sourceforge.net makes me = think about an alternative: >> The development of ipsec-tools has been ABANDONED.=20 >> ipsec-tools has security issues, and you should not use it. = Please switch to a secure alternative!=20 >>=20 >> Could you provide me with links where I could find more details about = the above mentioned 'security issues'? I want to find out, if my = specific setup has security issues at all. Thanks. Well, now I do know that security patches have been applied to = security/ipsec-tools. Thus one can ignore "Please switch to a secure = alternative!" >> What would be a secure alternative if one is needed?=20 >> #) security/racoon2 >> #) security/strongswan >> #) something else? >=20 > There was also security/isakmpd but is marked as BROKEN now. >=20 > I've been told that strongswan works on FreeBSD. I've tried installing > strongswan, but it looks too complex and tricky in comparison with > racoon. >=20 > If you ever find good documentation/howto for strongswan on FreeBSD, > please share with me. Sorry, but I never tried strongswan as a replacement, mainly due to the = reasons you mentioned as well: I couldn't get it running. Thus I used = racoon instead. Kurt mentioned wireguard. I could get the tunnel running, but I failed = in getting the routing at both sites running (in my preliminary tests). Then this mail made my day: >> What do I need? >> #) a VPN tunnel between two hosts >> #) both local networks reachable from the remote host >=20 > That is what kernel IPSec is for, you can even do it on static keys > without any ISAKMP daemon like racoon. See an example in if_ipsec(4). I did install my IPSEC/racoon tunnel many years ago and missed the = recent implementation of if_ipsec completely.=20 Victor, thank you very, very much for pointing me to this interface. = Now, my tunnel is far less complicated to implement[1], and I will no = longer need security/ipsec-tools at all!=20 [1] Following if_ipsec(4) and = https://github.com/opnsense/core/issues/2332#issuecomment-379181820, = because the example with "right" and "left" notation helped to = understand if_ipsec(4) better (for me). Thanks and regards, Michael=20