Date: Mon, 13 May 2013 15:44:15 +0200 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: freebsd-stable@freebsd.org Subject: Re: IKEv2/IPSEC "Road Warrior" VPN Tunneling? Message-ID: <20130513134415.GA20624@zeninc.net> In-Reply-To: <20130417095719.GH3480@vpn.offrom.nl> References: <516739C9.4080902@denninger.net> <20130417095719.GH3480@vpn.offrom.nl>
index | next in thread | previous in thread | raw e-mail
On Wed, Apr 17, 2013 at 11:57:19AM +0200, Willy Offermans wrote: > Hello Karl and FreeBSD friends, Hi all. > I recall having read about racoon and roadwarrior. Have a look to > /usr/local/share/examples/ipsec-tools/, if you have installed it. I'm also > planning to install this on my server. However I have only little time at > the moment. I'm also looking for examples of configuration files to work > with. First, ipsec-tools is for IKEv1 only, as the subject of the original mail talks about IKEv2. For IKEv1 (with ipsec-tools), the simplest way to do this would be to create a remote "anonymous" and a sainfo "anonymous" section, with "generate_policy" set to on: racoon will negociate phase 1 / phase 2, then will generate SPD entries from peer's proposal. Of course, this means that you'll have to trust what your peers will negociate as traffic endpoints ! If you have some more time to spend on configuration (recommanded !), you can specify traffic endpoints for the sainfo section: valid endpoints (which match the sainfo) negociated by peer will work as described upper, and other traffic endpoints will not negociate, as racoon won't find any related sainfo. Yvan.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130513134415.GA20624>