From owner-freebsd-net@freebsd.org Sat Jan 11 11:23:15 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 29883226279; Sat, 11 Jan 2020 11:23:15 +0000 (UTC) (envelope-from vas@sibptus.ru) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47vyC61GP8z3wyk; Sat, 11 Jan 2020 11:23:13 +0000 (UTC) (envelope-from vas@sibptus.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=JKfIxn+sm8/ktAhrFuzQm8M/cK3DNuMmIZGrF2KOncs=; b=liF2qYhkmn9RcLvR4VxEHT7xoX RFLXec5AzrFScreX2c1Nqf5fcd5At1W3oxymj1qljZAlykKziG0J3TFvR04zqKLOr/2CAuAWEwkwD 2DzjW8yd/uqB6Ip4uRNCUko8i0dRJF6WtUTlWE5vqmzShTHoM8uNJMeXYNXXX4NZ8ijM=; Received: from vas by admin.sibptus.ru with local (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1iqErD-000GGe-D0; Sat, 11 Jan 2020 18:23:07 +0700 Date: Sat, 11 Jan 2020 18:23:07 +0700 From: Victor Sudakov To: freebsd-questions@freebsd.org, freebsd-net@freebsd.org Subject: Re: replacement of security/ipsec-tools Message-ID: <20200111112307.GA62210@admin.sibptus.ru> References: <50378AC0-0A0A-4E33-961F-3D180987A8C1@ellael.org> <20200110035009.GB67842@admin.sibptus.ru> <20200110065131.GA79879@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo" Content-Disposition: inline In-Reply-To: <20200110065131.GA79879@admin.sibptus.ru> X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 X-Rspamd-Queue-Id: 47vyC61GP8z3wyk X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=liF2qYhk; dmarc=pass (policy=none) header.from=sibptus.ru; spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru X-Spamd-Result: default: False [-8.38 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE(-3.28)[ip: (-9.88), ipnet: 2001:19f0:5000::/38(-4.94), asn: 20473(-1.54), country: US(-0.05)]; DKIM_TRACE(0.00)[sibptus.ru:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Jan 2020 11:23:15 -0000 --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Victor Sudakov wrote: > >=20 > > If you ever find good documentation/howto for strongswan on FreeBSD, > > please share with me. >=20 > Really, please! I know there are people present here using strongswan. >=20 > I would like to try and replace racoon with it. Now thanks to Sergey Matveev and some good docs on https://wiki.strongswan.org/ , I have some working examples of strongswan usage. I must admit it is rather elegant. But for this bug-or-feature: https://bugs.freebsd.org/bugzilla/show_bug.cgi= ?id=3D242744=20 I could even easily and elegantly secure all communications between my FreeBSD hosts (I can't of course due to the above bug, but this is not strongswan's fault). However, not the same with Windows. By much experimenting, I once created a working configuration for IPsec transport mode between FreeBSD and Windows with racoon: remote "win2012" { exchange_mode main; my_identifier address; peers_identifier address; remote_address 192.168.246.12; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } = =20 } = =20 sainfo anonymous { pfs_group 2; lifetime time 1 hour; encryption_algorithm aes,3des; authentication_algorithm hmac_sha512,hmac_sha384,hmac_sha256,hmac_s= ha1; compression_algorithm deflate ; } = =20 But now when I try to replace racoon with strongswan, the following configuration does not work: conn Win2012 keyexchange =3D ikev1 ike=3D3des-sha1-modp1024! esp=3D3des-sha1-modp1024! left=3D192.168.246.1 right=3D192.168.246.12 type=3Dtransport compress=3Dyes authby=3Dpsk auto=3Droute In Wireshark, I see ISAKMP exchange between 192.168.246.1 and 192.168.246.12. Also "service strongswan status" reports that there is a SA: Security Associations (1 up, 0 connecting): Win2012[5]: ESTABLISHED 114 seconds ago, 192.168.246.1[192.168.246.1].= =2E.192.168.246.12[192.168.246.12] but in fact there are none: # setkey -D No SAD entries. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --envbJBWh7q8WU6mo Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJeGbAbAAoJEA2k8lmbXsY0VUQH/2gYBYu96I9B6K5cuoy/0KO+ qqIqPqLrWJt8GtTsCMAURfMTmqz7DhFQ/ZJnJVhuqAu82vFP2RrerWs1ATIRD/q1 Jr1Ex1x2AQfQ7P83irsrjka8sOg9unhugAVNLYHtQAxFLHZhoRlFaP4xctQ9T+/G T1QtFEsSZ4p6k34YIqctfTrT0jkVwEBx1jO5as7CoBGuXst2NnI153BF4OLSigex RWMgHEbDwEM4nEg1kFBpo41BbNjiqRnK3d3LwVEXcaKGp7NQiTP3o0rXCjse2Pt5 AHSZfKg+H/zoLo1cV4M1NOdj0txHCvovShLaNTPchH0x06GE73kv0cFDhPQcmYw= =9EW9 -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo--