From owner-freebsd-stable@FreeBSD.ORG Mon May 13 14:25:39 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8378A63E for ; Mon, 13 May 2013 14:25:39 +0000 (UTC) (envelope-from karl@denninger.net) Received: from fs.denninger.net (wsip-70-169-168-7.pn.at.cox.net [70.169.168.7]) by mx1.freebsd.org (Postfix) with ESMTP id 3781991B for ; Mon, 13 May 2013 14:25:39 +0000 (UTC) Received: from [192.168.1.40] (localhost [127.0.0.1]) by fs.denninger.net (8.14.6/8.13.1) with ESMTP id r4DDuECN066054 for ; Mon, 13 May 2013 08:56:14 -0500 (CDT) (envelope-from karl@denninger.net) Received: from [192.168.1.40] (TLS/SSL) [192.168.1.40] by Spamblock-sys (LOCAL/AUTH); Mon May 13 08:56:14 2013 Message-ID: <5190F0F9.3040908@denninger.net> Date: Mon, 13 May 2013 08:56:09 -0500 From: Karl Denninger User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130215 Thunderbird/17.0.3 MIME-Version: 1.0 To: VANHULLEBUS Yvan Subject: Re: IKEv2/IPSEC "Road Warrior" VPN Tunneling? References: <516739C9.4080902@denninger.net> <20130417095719.GH3480@vpn.offrom.nl> <20130513134415.GA20624@zeninc.net> In-Reply-To: <20130513134415.GA20624@zeninc.net> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 May 2013 14:25:39 -0000 On 5/13/2013 8:44 AM, VANHULLEBUS Yvan wrote: > On Wed, Apr 17, 2013 at 11:57:19AM +0200, Willy Offermans wrote: >> Hello Karl and FreeBSD friends, > Hi all. > >> I recall having read about racoon and roadwarrior. Have a look to >> /usr/local/share/examples/ipsec-tools/, if you have installed it. I'm also >> planning to install this on my server. However I have only little time at >> the moment. I'm also looking for examples of configuration files to work >> with. > First, ipsec-tools is for IKEv1 only, as the subject of the original > mail talks about IKEv2. > > For IKEv1 (with ipsec-tools), the simplest way to do this would be to > create a remote "anonymous" and a sainfo "anonymous" section, with > "generate_policy" set to on: racoon will negociate phase 1 / phase 2, > then will generate SPD entries from peer's proposal. > > Of course, this means that you'll have to trust what your peers will > negociate as traffic endpoints ! > > If you have some more time to spend on configuration (recommanded !), > you can specify traffic endpoints for the sainfo section: valid > endpoints (which match the sainfo) negociated by peer will work as > described upper, and other traffic endpoints will not negociate, as > racoon won't find any related sainfo. > > > Yvan. > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > > I have successfully configured StrongSwan for IPSEC/IKEv2 and have it operating both with Windows clients and also with the BlackBerry Z-10. It is fast and works very well; I went for the current source directly rather than the port as I wanted to enable a number of options. If readers believe there's value in posting the "recipe" I used here let me know. -- Karl Denninger karl@denninger.net /Cuda Systems LLC/