Date: Tue, 14 Jan 2020 17:24:06 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-net@freebsd.org, freebsd-questions@freebsd.org Subject: Re: replacement of security/ipsec-tools Message-ID: <20200114102406.GA59440@admin.sibptus.ru> In-Reply-To: <76e41e61-3dc6-60f5-d60a-b2571906071e@denninger.net> References: <50378AC0-0A0A-4E33-961F-3D180987A8C1@ellael.org> <20200110035009.GB67842@admin.sibptus.ru> <20200110065131.GA79879@admin.sibptus.ru> <20200111112307.GA62210@admin.sibptus.ru> <b7b56621-6632-b811-4bf1-479e43e25678@denninger.net> <20200113162648.GA10976@admin.sibptus.ru> <76e41e61-3dc6-60f5-d60a-b2571906071e@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Karl Denninger wrote: > > > > For the present, however, I'm interested not in an IPSec VPN (in Windows > > terminology) but in a simple transport mode IPSec between a FreeBSD and= a > > Windows host.=20 > > > > My only option for that is IKEv1 because IKEv2 is configured on Windows > > 10 and Windows 2016 from PowerShell only, and I need to configure a > > secure connection via Group Policy editor (mmc). I'm still too weak of > > heart to use PowerShell for IPSec setup. > > > > I have this working successfully with racoon (on pre-shared keys) and am > > investigating the possibility to replace racoon with strongswan. >=20 > Gotcha.... I misunderstood the application...=A0 I've not attempted to set > that up here.... In the Windows IPSec GPO, there are two options for PFS: 1. "Master key PFS" in IKE settings: http://admin.sibptus.ru/~vas/pfs_ike.j= pg 2. "Use session key PFS" in ESP settings: http://admin.sibptus.ru/~vas/pfs_= esp.jpg By default (in a GPO created from scratch) both are unchecked. Do you perchance know which connection parameters in Strongswan do they correspond to? Please note that the DF group for IKE is configured separately, and can be set to 1, 2, or 2048. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJeHZbGAAoJEA2k8lmbXsY0b9UH/Rjfv4oAwKHx2o2yqZulzbe5 psKKREjCv1LnaOvTDQsejv/HJnv96uiVFwuaW1/KImbxRy4zjXILJQUJO2SxOv/A kI49h6PXxdeob+Y7Tsp8TOk7LBZuvfrIR5zkwbmmAcu2fXChsvk35KuIgExOVuMq CZRZC7iu8k+xGfinqTcD4sOX213gFqDDcSOgLZ9soH9YuH+9cU0S8SdA11ijtpd4 Z/UNjDNqvVoGLlvNiJuOweIPXcDP59R0T+eYFt7oK54rflu1VO55evZ4YD8mc282 99n+ZEBE1vXO0E6lifA7slkTcRsFiahtGNHmScfAcYCYmNi0rlVtmyvvc+r9PCg= =yZ4r -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200114102406.GA59440>