From owner-freebsd-questions@freebsd.org Wed Oct 9 22:43:54 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 89022131F25 for ; Wed, 9 Oct 2019 22:43:54 +0000 (UTC) (envelope-from merlyn@geeks.org) Received: from mail.geeks.org (mail.geeks.org [IPv6:2001:4980:3333:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46pTls1SSJz47hR for ; Wed, 9 Oct 2019 22:43:52 +0000 (UTC) (envelope-from merlyn@geeks.org) Received: from mail.geeks.org (localhost [127.0.0.1]) by after-clamsmtpd.geeks.org (Postfix) with ESMTP id A8D23110219 for ; Wed, 9 Oct 2019 17:38:09 -0500 (CDT) Received: by mail.geeks.org (Postfix, from userid 1003) id 81D3911020A; Wed, 9 Oct 2019 17:38:09 -0500 (CDT) Date: Wed, 9 Oct 2019 17:38:09 -0500 From: Doug McIntyre To: freebsd-questions@freebsd.org Subject: Re: help with setting up IPSEC in FreeBSD 12 Message-ID: <20191009223809.GA7729@geeks.org> References: <0b60ed6c-30c9-a12a-d608-58b828b44a9a@monkeybrains.net> <2bda93a7-2c21-c69e-cc11-00d2c78dea71@monkeybrains.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <2bda93a7-2c21-c69e-cc11-00d2c78dea71@monkeybrains.net> User-Agent: Mutt/1.10.1 (2018-07-13) X-Virus-Scanned: ClamAV using ClamSMTP X-Rspamd-Queue-Id: 46pTls1SSJz47hR X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of merlyn@geeks.org designates 2001:4980:3333:1::1 as permitted sender) smtp.mailfrom=merlyn@geeks.org X-Spamd-Result: default: False [-1.95 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.991,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ptr]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[geeks.org]; IP_SCORE(0.34)[asn: 7753(1.74), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:7753, ipnet:2001:4980::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Oct 2019 22:43:54 -0000 On Wed, Oct 09, 2019 at 12:29:38AM -0700, Rudy wrote: > Now I need keys manages.  Do I still need to set up racoon?  It looks > like a lot of configuration when I just want to simply setup encryption > on a gif link from a FreeBSD box to a Mikrotik.  Is there an easier way > to do this in FreeBSD 12? Right, "the wonderful thing about standards, is there is so many to choose from." You just setup a staticly keyed IPSec tunnel. Most of the rest of the world moved to dynamicly ISAKMP keyed tunnels ages ago. That is what racoon does, run the ISAKMP protocol for dynamicly keyed tunnels. Typically the only place staticly keyed IPsec tunnels are done is on Unix boxes without bothering to setup racoon, but nowhere else. If you need to go to another type of device, typically one that bills itself as a firewall or router, you are going to be doing ISAKMP dynamicly keyed tunnels with security associations setup.