Date: Sat, 11 Jan 2020 18:23:07 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-questions@freebsd.org, freebsd-net@freebsd.org Subject: Re: replacement of security/ipsec-tools Message-ID: <20200111112307.GA62210@admin.sibptus.ru> In-Reply-To: <20200110065131.GA79879@admin.sibptus.ru> References: <50378AC0-0A0A-4E33-961F-3D180987A8C1@ellael.org> <20200110035009.GB67842@admin.sibptus.ru> <20200110065131.GA79879@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Victor Sudakov wrote: > >=20 > > If you ever find good documentation/howto for strongswan on FreeBSD, > > please share with me. >=20 > Really, please! I know there are people present here using strongswan. >=20 > I would like to try and replace racoon with it. Now thanks to Sergey Matveev and some good docs on https://wiki.strongswan.org/ , I have some working examples of strongswan usage. I must admit it is rather elegant. But for this bug-or-feature: https://bugs.freebsd.org/bugzilla/show_bug.cgi= ?id=3D242744=20 I could even easily and elegantly secure all communications between my FreeBSD hosts (I can't of course due to the above bug, but this is not strongswan's fault). However, not the same with Windows. By much experimenting, I once created a working configuration for IPsec transport mode between FreeBSD and Windows with racoon: remote "win2012" { exchange_mode main; my_identifier address; peers_identifier address; remote_address 192.168.246.12; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } = =20 } = =20 sainfo anonymous { pfs_group 2; lifetime time 1 hour; encryption_algorithm aes,3des; authentication_algorithm hmac_sha512,hmac_sha384,hmac_sha256,hmac_s= ha1; compression_algorithm deflate ; } = =20 But now when I try to replace racoon with strongswan, the following configuration does not work: conn Win2012 keyexchange =3D ikev1 ike=3D3des-sha1-modp1024! esp=3D3des-sha1-modp1024! left=3D192.168.246.1 right=3D192.168.246.12 type=3Dtransport compress=3Dyes authby=3Dpsk auto=3Droute In Wireshark, I see ISAKMP exchange between 192.168.246.1 and 192.168.246.12. Also "service strongswan status" reports that there is a SA: Security Associations (1 up, 0 connecting): Win2012[5]: ESTABLISHED 114 seconds ago, 192.168.246.1[192.168.246.1].= =2E.192.168.246.12[192.168.246.12] but in fact there are none: # setkey -D No SAD entries. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --envbJBWh7q8WU6mo Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJeGbAbAAoJEA2k8lmbXsY0VUQH/2gYBYu96I9B6K5cuoy/0KO+ qqIqPqLrWJt8GtTsCMAURfMTmqz7DhFQ/ZJnJVhuqAu82vFP2RrerWs1ATIRD/q1 Jr1Ex1x2AQfQ7P83irsrjka8sOg9unhugAVNLYHtQAxFLHZhoRlFaP4xctQ9T+/G T1QtFEsSZ4p6k34YIqctfTrT0jkVwEBx1jO5as7CoBGuXst2NnI153BF4OLSigex RWMgHEbDwEM4nEg1kFBpo41BbNjiqRnK3d3LwVEXcaKGp7NQiTP3o0rXCjse2Pt5 AHSZfKg+H/zoLo1cV4M1NOdj0txHCvovShLaNTPchH0x06GE73kv0cFDhPQcmYw= =9EW9 -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200111112307.GA62210>