From owner-freebsd-questions@freebsd.org  Tue Jan 14 10:24:09 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B211E2244E0;
 Tue, 14 Jan 2020 10:24:09 +0000 (UTC) (envelope-from vas@sibptus.ru)
Received: from admin.sibptus.ru (admin.sibptus.ru
 [IPv6:2001:19f0:5001:21dc::10])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 47xmlX4RXcz3RJv;
 Tue, 14 Jan 2020 10:24:08 +0000 (UTC) (envelope-from vas@sibptus.ru)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; 
 s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date;
 bh=AgY4uwHP7VzH222MOxneVpo+2gR5CAGbsYBuvCJrojY=; b=TmqcYQ4JQvNNkMW7OEqrYdBQMH
 TuLjoxZdXjfRRMZZ+2TFNz0HLV3dzPuXLwIMwz8EBcChF5XjXzZC8Mlnux1Wb/PF5jzhWMLjd4L/M
 c13n187kzkb0j5Qi3JONCXTvc7dAjlYszg6tmgSpuQ//aZ9qrn8Ym2x4wMJa2sT1lZIA=;
Received: from vas by admin.sibptus.ru with local (Exim 4.92.3 (FreeBSD))
 (envelope-from <vas@sibptus.ru>)
 id 1irJMk-000FXM-CF; Tue, 14 Jan 2020 17:24:06 +0700
Date: Tue, 14 Jan 2020 17:24:06 +0700
From: Victor Sudakov <vas@sibptus.ru>
To: freebsd-net@freebsd.org, freebsd-questions@freebsd.org
Subject: Re: replacement of security/ipsec-tools
Message-ID: <20200114102406.GA59440@admin.sibptus.ru>
References: <50378AC0-0A0A-4E33-961F-3D180987A8C1@ellael.org>
 <20200110035009.GB67842@admin.sibptus.ru>
 <20200110065131.GA79879@admin.sibptus.ru>
 <20200111112307.GA62210@admin.sibptus.ru>
 <b7b56621-6632-b811-4bf1-479e43e25678@denninger.net>
 <20200113162648.GA10976@admin.sibptus.ru>
 <76e41e61-3dc6-60f5-d60a-b2571906071e@denninger.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8"
Content-Disposition: inline
In-Reply-To: <76e41e61-3dc6-60f5-d60a-b2571906071e@denninger.net>
X-PGP-Key: http://admin.sibptus.ru/~vas/
X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9  3532 0DA4 F259 9B5E C634
X-Rspamd-Queue-Id: 47xmlX4RXcz3RJv
X-Spamd-Bar: --------
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=sibptus.ru header.s=20181118 header.b=TmqcYQ4J;
 dmarc=pass (policy=none) header.from=sibptus.ru;
 spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates
 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru
X-Spamd-Result: default: False [-8.40 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118];
 FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx];
 TO_MATCH_ENVRCPT_ALL(0.00)[];
 MIME_GOOD(-0.20)[multipart/signed,text/plain];
 TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 IP_SCORE(-3.30)[ip: (-9.89), ipnet: 2001:19f0:5000::/38(-4.94), asn:
 20473(-1.64), country: US(-0.05)]; 
 DKIM_TRACE(0.00)[sibptus.ru:+]; RCPT_COUNT_TWO(0.00)[2];
 DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none];
 SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[];
 ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 10:24:09 -0000


--MGYHOYXEY6WxJCY8
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Karl Denninger wrote:
> >
> > For the present, however, I'm interested not in an IPSec VPN (in Windows
> > terminology) but in a simple transport mode IPSec between a FreeBSD and=
 a
> > Windows host.=20
> >
> > My only option for that is IKEv1 because IKEv2 is configured on Windows
> > 10 and Windows 2016 from PowerShell only, and I need to configure a
> > secure connection via Group Policy editor (mmc). I'm still too weak of
> > heart to use PowerShell for IPSec setup.
> >
> > I have this working successfully with racoon (on pre-shared keys) and am
> > investigating the possibility to replace racoon with strongswan.
>=20
> Gotcha.... I misunderstood the application...=A0 I've not attempted to set
> that up here....

In the Windows IPSec GPO, there are two options for PFS:

1. "Master key PFS" in IKE settings: http://admin.sibptus.ru/~vas/pfs_ike.j=
pg

2. "Use session key PFS" in ESP settings: http://admin.sibptus.ru/~vas/pfs_=
esp.jpg

By default (in a GPO created from scratch) both are unchecked.

Do you perchance know which connection parameters in Strongswan do they
correspond to?

Please note that the DF group for IKE is configured separately, and can
be set to 1, 2, or 2048.


--=20
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

--MGYHOYXEY6WxJCY8
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJeHZbGAAoJEA2k8lmbXsY0b9UH/Rjfv4oAwKHx2o2yqZulzbe5
psKKREjCv1LnaOvTDQsejv/HJnv96uiVFwuaW1/KImbxRy4zjXILJQUJO2SxOv/A
kI49h6PXxdeob+Y7Tsp8TOk7LBZuvfrIR5zkwbmmAcu2fXChsvk35KuIgExOVuMq
CZRZC7iu8k+xGfinqTcD4sOX213gFqDDcSOgLZ9soH9YuH+9cU0S8SdA11ijtpd4
Z/UNjDNqvVoGLlvNiJuOweIPXcDP59R0T+eYFt7oK54rflu1VO55evZ4YD8mc282
99n+ZEBE1vXO0E6lifA7slkTcRsFiahtGNHmScfAcYCYmNi0rlVtmyvvc+r9PCg=
=yZ4r
-----END PGP SIGNATURE-----

--MGYHOYXEY6WxJCY8--