From owner-freebsd-hackers@freebsd.org Fri Apr 8 07:43:17 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2A82FB0807D for ; Fri, 8 Apr 2016 07:43:17 +0000 (UTC) (envelope-from dewaynegeraghty@gmail.com) Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A698F1CAB for ; Fri, 8 Apr 2016 07:43:16 +0000 (UTC) (envelope-from dewaynegeraghty@gmail.com) Received: by mail-lf0-x231.google.com with SMTP id j11so73306965lfb.1 for ; Fri, 08 Apr 2016 00:43:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=uYSv0znjDlnWASGcUIRIFRhkssq01OGcFBluu2RsmM8=; b=0C0bRFqJArSNGUM4E0AAIPZhEYNOMHbfbPCYbPwmsSr9HFip1x89L3BbSgFtt7aRG9 BZkHSMkQ/ZVyPkSxngIsdJUEBmeO40zrtFQdSyb4GwfV7mLujrvJdBUIM9EYs9qetpLg id8sOKj/LRwsQ2nOKd1YovU5aInnFlpRjPCqSPOviA+f2cHjv1HRqVSc9WYytC2HhHzP 2Ag0ZXEiS1cqIFCVcOD3YCraoZslybEcCD8eKYViFRx/kODEhhmxIk1msB66J6OPS2Bq LIQy0CMDlzWeXffQrwJXYRhEXH5nIWGUhAGc1IEDQpxHNHagTKF6agZoRblzgGRio/W0 rvNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=uYSv0znjDlnWASGcUIRIFRhkssq01OGcFBluu2RsmM8=; b=kMEIy1AKuK1Dej5wE3fUPAu3hxQGmpdu3GUhFFLGlvkkgA3y8gHWnbM24rG1itw/yC nxwZb75jYFNwEB5csbHl/cP3zaCQm2fAXZ167hhpefMGPKKv1LnBqf/rw7W5X/1tr9Q8 S46pdHEy7dzz7bkajpfNxytURtAHWnDGbv0gp/hfo7vH2hG6qpEqF6g0vAu3DweFzoIJ 6HZ6utQO8n87quew1x/KUZh6CHWPo/3Pqhlc+k/r8rH6lNYacqFrD0jT1Oy64uzyN+Tn YKJ9UQ3W8ju3CnlWIada4LOeb+itKeYdcbmy6Mxw9PdNHIgJDmQeLjmkidra12o2SYXm x+ew== X-Gm-Message-State: AD7BkJKzieUwUSn4xZKzf3YKhwFmn1DO01wSKCItMkLcyefXpK/gY8PGn+AqyXaXu+iD9ZDu2TKycoqAglCUvQ== MIME-Version: 1.0 X-Received: by 10.25.84.17 with SMTP id i17mr3078264lfb.136.1460101394801; Fri, 08 Apr 2016 00:43:14 -0700 (PDT) Received: by 10.25.146.17 with HTTP; Fri, 8 Apr 2016 00:43:14 -0700 (PDT) In-Reply-To: References: Date: Fri, 8 Apr 2016 17:43:14 +1000 Message-ID: Subject: Re: IPSEC tunnels From: Dewayne Geraghty To: Wojciech Puchar Cc: "freebsd-hackers@freebsd.org" X-Mailman-Approved-At: Fri, 08 Apr 2016 11:10:52 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Apr 2016 07:43:17 -0000 Yes I've used it in production for 10 years. Using fixed passwords between 8 branch sites, a HQ, and a contingency location. I've also used strongswan (ikev2) and certificates but it was non-trivial. All firewalls were NATed, if you need to filter traffic you'll need to do so via enc0 (as I recall). Sorry no examples, generally I found it less trouble to filter the interior side of the few, and/or define the ports that you're allowing-though that starts to get messy. Regards Dewayne PS and for the paranoid, yes the password was changed via time-sync'ed ssh :) On Friday, 8 April 2016, Wojciech Puchar wrote: > does anyone use this in production? How about performance. OpenVPN > performance is poor due to system call/context switch on every packet. > > I found lots of examples how to configure it, but none where one side is > over NAT. Can it be configured that way? Any examples? > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > -- *Disclaimer:* *As implied by email protocols, the information in this message is not confidential. Any intermediary or recipient may inspect, modify (add), copy, forward, reply to, delete, or filter email for any purpose unless said parties are otherwise obligated. Nothing in this message may be legally binding without cryptographic evidence of its integrity and/or confidentiality.*