Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 11 Jan 2020 18:23:07 +0700
From:      Victor Sudakov <vas@sibptus.ru>
To:        freebsd-questions@freebsd.org, freebsd-net@freebsd.org
Subject:   Re: replacement of security/ipsec-tools
Message-ID:  <20200111112307.GA62210@admin.sibptus.ru>
In-Reply-To: <20200110065131.GA79879@admin.sibptus.ru>
References:  <50378AC0-0A0A-4E33-961F-3D180987A8C1@ellael.org> <20200110035009.GB67842@admin.sibptus.ru> <20200110065131.GA79879@admin.sibptus.ru>

next in thread | previous in thread | raw e-mail | index | archive | help

--envbJBWh7q8WU6mo
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Victor Sudakov wrote:
> >=20
> > If you ever find good documentation/howto  for strongswan on FreeBSD,
> > please share with me.
>=20
> Really, please! I know there are people present here using strongswan.
>=20
> I would like to try and replace racoon with it.

Now thanks to Sergey Matveev and some good docs on
https://wiki.strongswan.org/ , I have some working examples of
strongswan usage.  I must admit it is rather elegant.

But for this bug-or-feature: https://bugs.freebsd.org/bugzilla/show_bug.cgi=
?id=3D242744=20
I could even easily and elegantly secure all communications between my
FreeBSD hosts (I can't of course due to the above bug, but this is not
strongswan's fault).

However, not the same with Windows. By much experimenting, I once
created a working configuration for IPsec transport mode between FreeBSD
and Windows with racoon:

remote "win2012" {
        exchange_mode main;
        my_identifier address;
        peers_identifier address;
        remote_address 192.168.246.12;
        proposal_check obey;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }                                                                  =
                                                            =20
}                                                                          =
                                                            =20
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes,3des;
        authentication_algorithm hmac_sha512,hmac_sha384,hmac_sha256,hmac_s=
ha1;
        compression_algorithm deflate ;
}                                                                          =
                                                            =20

But now when I try to replace racoon with strongswan, the following
configuration does not work:

conn Win2012
    keyexchange =3D ikev1
    ike=3D3des-sha1-modp1024!
    esp=3D3des-sha1-modp1024!
    left=3D192.168.246.1
    right=3D192.168.246.12
    type=3Dtransport
    compress=3Dyes
    authby=3Dpsk
    auto=3Droute

In Wireshark, I see ISAKMP exchange between 192.168.246.1 and
192.168.246.12. Also "service strongswan status" reports that there is a SA:

Security Associations (1 up, 0 connecting):
     Win2012[5]: ESTABLISHED 114 seconds ago, 192.168.246.1[192.168.246.1].=
=2E.192.168.246.12[192.168.246.12]

but in fact there are none:

# setkey -D
No SAD entries.




--=20
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

--envbJBWh7q8WU6mo
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJeGbAbAAoJEA2k8lmbXsY0VUQH/2gYBYu96I9B6K5cuoy/0KO+
qqIqPqLrWJt8GtTsCMAURfMTmqz7DhFQ/ZJnJVhuqAu82vFP2RrerWs1ATIRD/q1
Jr1Ex1x2AQfQ7P83irsrjka8sOg9unhugAVNLYHtQAxFLHZhoRlFaP4xctQ9T+/G
T1QtFEsSZ4p6k34YIqctfTrT0jkVwEBx1jO5as7CoBGuXst2NnI153BF4OLSigex
RWMgHEbDwEM4nEg1kFBpo41BbNjiqRnK3d3LwVEXcaKGp7NQiTP3o0rXCjse2Pt5
AHSZfKg+H/zoLo1cV4M1NOdj0txHCvovShLaNTPchH0x06GE73kv0cFDhPQcmYw=
=9EW9
-----END PGP SIGNATURE-----

--envbJBWh7q8WU6mo--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200111112307.GA62210>