Date: Mon, 13 May 2013 16:31:03 -0500 From: Karl Denninger <karl@denninger.net> To: Sami Halabi <sodynet1@gmail.com> Cc: VANHULLEBUS Yvan <vanhu@freebsd.org>, freebsd-stable@freebsd.org Subject: Re: IKEv2/IPSEC "Road Warrior" VPN Tunneling? Message-ID: <51915B97.8020009@denninger.net> In-Reply-To: <CAEW%2BogauYOHr=sHLJAbi36sbt_s-4VfR8EgD1j6ZueavoMRyww@mail.gmail.com> References: <516739C9.4080902@denninger.net> <20130417095719.GH3480@vpn.offrom.nl> <20130513134415.GA20624@zeninc.net> <5190F0F9.3040908@denninger.net> <CAEW%2BogauYOHr=sHLJAbi36sbt_s-4VfR8EgD1j6ZueavoMRyww@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/13/2013 9:36 AM, Sami Halabi wrote: > Please share the confs. > > Sami > On May 13, 2013 5:25 PM, "Karl Denninger" <karl@denninger.net> wrote: > >> On 5/13/2013 8:44 AM, VANHULLEBUS Yvan wrote: >>> On Wed, Apr 17, 2013 at 11:57:19AM +0200, Willy Offermans wrote: >>>> Hello Karl and FreeBSD friends, >>> Hi all. >>> >>>> I recall having read about racoon and roadwarrior. Have a look to >>>> /usr/local/share/examples/ipsec-tools/, if you have installed it. I'm >> also >>>> planning to install this on my server. However I have only little time >> at >>>> the moment. I'm also looking for examples of configuration files to work >>>> with. >>> First, ipsec-tools is for IKEv1 only, as the subject of the original >>> mail talks about IKEv2. >>> >>> For IKEv1 (with ipsec-tools), the simplest way to do this would be to >>> create a remote "anonymous" and a sainfo "anonymous" section, with >>> "generate_policy" set to on: racoon will negociate phase 1 / phase 2, >>> then will generate SPD entries from peer's proposal. >>> >>> Of course, this means that you'll have to trust what your peers will >>> negociate as traffic endpoints ! >>> >>> If you have some more time to spend on configuration (recommanded !), >>> you can specify traffic endpoints for the sainfo section: valid >>> endpoints (which match the sainfo) negociated by peer will work as >>> described upper, and other traffic endpoints will not negociate, as >>> racoon won't find any related sainfo. >>> >>> >>> Yvan. >>> _______________________________________________ >>> freebsd-stable@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >>> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org >> " >>> >> I have successfully configured StrongSwan for IPSEC/IKEv2 and have it >> operating both with Windows clients and also with the BlackBerry Z-10. >> It is fast and works very well; I went for the current source directly >> rather than the port as I wanted to enable a number of options. >> >> If readers believe there's value in posting the "recipe" I used here let >> me know. >> >> -- >> Karl Denninger >> karl@denninger.net >> /Cuda Systems LLC/ >> _______________________________________________ >> freebsd-stable@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > > > %SPAMBLOCK-SYS: Matched [@freebsd.org+], message ok Here's a link to a rather long post on setting it up that I put up on my blog that pretty much walks through the details. http://market-ticker.org/akcs-www?post=220395 The configuration for StrongSwan looks like this: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. # Sample VPN connections conn %default keyingtries=1 keyexchange=ikev2 conn BB10 left=%any leftsubnet=0.0.0.0/0 right=%any rightsourceip=192.168.2.0/24 rightid=my@email.address rightauth=psk leftauth=pubkey leftcert=my-host-certificate.pem auto=add conn Win7 left=%any leftsubnet=0.0.0.0/0 leftauth=pubkey leftcert=my-host-certificate.pem leftid=@my-host-name right=%any rightsourceip=192.168.2.0/24 rightauth=eap-mschapv2 rightsendcert=never eap_identity=%any rekey=no dpdaction=clear dpddelay=300s auto=add You must have built StrongSwan with: $ ./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink --disable-tools --disable-scripts --with-group=wheel --enable-eap-gtc --enable-xauth-pam --enable-eap-mschapv2 --enable-md4 --enable-eap-identity I have both Windows 7 and BlackBerry 10 clients working against this without problems. -- Karl Denninger karl@denninger.net /Cuda Systems LLC/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51915B97.8020009>