Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 13 May 2013 15:44:15 +0200
From:      VANHULLEBUS Yvan <vanhu@FreeBSD.org>
To:        freebsd-stable@freebsd.org
Subject:   Re:  IKEv2/IPSEC "Road Warrior" VPN Tunneling?
Message-ID:  <20130513134415.GA20624@zeninc.net>
In-Reply-To: <20130417095719.GH3480@vpn.offrom.nl>
References:  <516739C9.4080902@denninger.net> <20130417095719.GH3480@vpn.offrom.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 17, 2013 at 11:57:19AM +0200, Willy Offermans wrote:
> Hello Karl and FreeBSD friends,

Hi all.

> I recall having read about racoon and roadwarrior. Have a look to
> /usr/local/share/examples/ipsec-tools/, if you have installed it. I'm also
> planning to install this on my server. However I have only little time at
> the moment. I'm also looking for examples of configuration files to work 
> with.

First, ipsec-tools is for IKEv1 only, as the subject of the original
mail talks about IKEv2.

For IKEv1 (with ipsec-tools), the simplest way to do this would be to
create a remote "anonymous" and a sainfo "anonymous" section, with
"generate_policy" set to on: racoon will negociate phase 1 / phase 2,
then will generate SPD entries from peer's proposal.

Of course, this means that you'll have to trust what your peers will
negociate as traffic endpoints !

If you have some more time to spend on configuration (recommanded !),
you can specify traffic endpoints for the sainfo section: valid
endpoints (which match the sainfo) negociated by peer will work as
described upper, and other traffic endpoints will not negociate, as
racoon won't find any related sainfo.


Yvan.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130513134415.GA20624>