From owner-freebsd-stable@FreeBSD.ORG Mon May 13 13:51:25 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D366E4D6 for ; Mon, 13 May 2013 13:51:25 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 69982630 for ; Mon, 13 May 2013 13:51:25 +0000 (UTC) Received: from nono (nono.zen.inc [192.168.1.95]) by smtp.zeninc.net (smtpd) with ESMTP id CA2732798D0 for ; Mon, 13 May 2013 15:42:30 +0200 (CEST) Received: by nono (Postfix, from userid 1000) id BC0C720BC6; Mon, 13 May 2013 15:44:15 +0200 (CEST) Date: Mon, 13 May 2013 15:44:15 +0200 From: VANHULLEBUS Yvan To: freebsd-stable@freebsd.org Subject: Re: IKEv2/IPSEC "Road Warrior" VPN Tunneling? Message-ID: <20130513134415.GA20624@zeninc.net> References: <516739C9.4080902@denninger.net> <20130417095719.GH3480@vpn.offrom.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130417095719.GH3480@vpn.offrom.nl> User-Agent: All mail clients suck. This one just sucks less. X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2013 13:51:25 -0000 On Wed, Apr 17, 2013 at 11:57:19AM +0200, Willy Offermans wrote: > Hello Karl and FreeBSD friends, Hi all. > I recall having read about racoon and roadwarrior. Have a look to > /usr/local/share/examples/ipsec-tools/, if you have installed it. I'm also > planning to install this on my server. However I have only little time at > the moment. I'm also looking for examples of configuration files to work > with. First, ipsec-tools is for IKEv1 only, as the subject of the original mail talks about IKEv2. For IKEv1 (with ipsec-tools), the simplest way to do this would be to create a remote "anonymous" and a sainfo "anonymous" section, with "generate_policy" set to on: racoon will negociate phase 1 / phase 2, then will generate SPD entries from peer's proposal. Of course, this means that you'll have to trust what your peers will negociate as traffic endpoints ! If you have some more time to spend on configuration (recommanded !), you can specify traffic endpoints for the sainfo section: valid endpoints (which match the sainfo) negociated by peer will work as described upper, and other traffic endpoints will not negociate, as racoon won't find any related sainfo. Yvan.