From owner-freebsd-questions@freebsd.org Tue Jan 14 10:24:09 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B211E2244E0; Tue, 14 Jan 2020 10:24:09 +0000 (UTC) (envelope-from vas@sibptus.ru) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47xmlX4RXcz3RJv; Tue, 14 Jan 2020 10:24:08 +0000 (UTC) (envelope-from vas@sibptus.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=AgY4uwHP7VzH222MOxneVpo+2gR5CAGbsYBuvCJrojY=; b=TmqcYQ4JQvNNkMW7OEqrYdBQMH TuLjoxZdXjfRRMZZ+2TFNz0HLV3dzPuXLwIMwz8EBcChF5XjXzZC8Mlnux1Wb/PF5jzhWMLjd4L/M c13n187kzkb0j5Qi3JONCXTvc7dAjlYszg6tmgSpuQ//aZ9qrn8Ym2x4wMJa2sT1lZIA=; Received: from vas by admin.sibptus.ru with local (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1irJMk-000FXM-CF; Tue, 14 Jan 2020 17:24:06 +0700 Date: Tue, 14 Jan 2020 17:24:06 +0700 From: Victor Sudakov To: freebsd-net@freebsd.org, freebsd-questions@freebsd.org Subject: Re: replacement of security/ipsec-tools Message-ID: <20200114102406.GA59440@admin.sibptus.ru> References: <50378AC0-0A0A-4E33-961F-3D180987A8C1@ellael.org> <20200110035009.GB67842@admin.sibptus.ru> <20200110065131.GA79879@admin.sibptus.ru> <20200111112307.GA62210@admin.sibptus.ru> <20200113162648.GA10976@admin.sibptus.ru> <76e41e61-3dc6-60f5-d60a-b2571906071e@denninger.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline In-Reply-To: <76e41e61-3dc6-60f5-d60a-b2571906071e@denninger.net> X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 X-Rspamd-Queue-Id: 47xmlX4RXcz3RJv X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=TmqcYQ4J; dmarc=pass (policy=none) header.from=sibptus.ru; spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru X-Spamd-Result: default: False [-8.40 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE(-3.30)[ip: (-9.89), ipnet: 2001:19f0:5000::/38(-4.94), asn: 20473(-1.64), country: US(-0.05)]; DKIM_TRACE(0.00)[sibptus.ru:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2020 10:24:09 -0000 --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Karl Denninger wrote: > > > > For the present, however, I'm interested not in an IPSec VPN (in Windows > > terminology) but in a simple transport mode IPSec between a FreeBSD and= a > > Windows host.=20 > > > > My only option for that is IKEv1 because IKEv2 is configured on Windows > > 10 and Windows 2016 from PowerShell only, and I need to configure a > > secure connection via Group Policy editor (mmc). I'm still too weak of > > heart to use PowerShell for IPSec setup. > > > > I have this working successfully with racoon (on pre-shared keys) and am > > investigating the possibility to replace racoon with strongswan. >=20 > Gotcha.... I misunderstood the application...=A0 I've not attempted to set > that up here.... In the Windows IPSec GPO, there are two options for PFS: 1. "Master key PFS" in IKE settings: http://admin.sibptus.ru/~vas/pfs_ike.j= pg 2. "Use session key PFS" in ESP settings: http://admin.sibptus.ru/~vas/pfs_= esp.jpg By default (in a GPO created from scratch) both are unchecked. Do you perchance know which connection parameters in Strongswan do they correspond to? Please note that the DF group for IKE is configured separately, and can be set to 1, 2, or 2048. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJeHZbGAAoJEA2k8lmbXsY0b9UH/Rjfv4oAwKHx2o2yqZulzbe5 psKKREjCv1LnaOvTDQsejv/HJnv96uiVFwuaW1/KImbxRy4zjXILJQUJO2SxOv/A kI49h6PXxdeob+Y7Tsp8TOk7LBZuvfrIR5zkwbmmAcu2fXChsvk35KuIgExOVuMq CZRZC7iu8k+xGfinqTcD4sOX213gFqDDcSOgLZ9soH9YuH+9cU0S8SdA11ijtpd4 Z/UNjDNqvVoGLlvNiJuOweIPXcDP59R0T+eYFt7oK54rflu1VO55evZ4YD8mc282 99n+ZEBE1vXO0E6lifA7slkTcRsFiahtGNHmScfAcYCYmNi0rlVtmyvvc+r9PCg= =yZ4r -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8--