Date: Tue, 27 Feb 2018 13:50:25 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Harry Schmalzbauer <freebsd@omnilan.de>, freebsd-net@freebsd.org Subject: Re: if_ipsec(4) and IKEv1 [security/ipsec-tools, racoon.conf] Message-ID: <04174d98-c35d-b88b-d0db-ac579b153c57@yandex.ru> In-Reply-To: <5A952B38.8060007@omnilan.de> References: <5A952B38.8060007@omnilan.de>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Lw3hymjuzrREi6ovSVIzKNpo3iH1EJzhf Content-Type: multipart/mixed; boundary="88k8H1ddOXqwwgtq65dlR9WMczdAN8niA"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Harry Schmalzbauer <freebsd@omnilan.de>, freebsd-net@freebsd.org Message-ID: <04174d98-c35d-b88b-d0db-ac579b153c57@yandex.ru> Subject: Re: if_ipsec(4) and IKEv1 [security/ipsec-tools, racoon.conf] References: <5A952B38.8060007@omnilan.de> In-Reply-To: <5A952B38.8060007@omnilan.de> --88k8H1ddOXqwwgtq65dlR9WMczdAN8niA Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 27.02.2018 12:56, Harry Schmalzbauer wrote: > Hello, >=20 > I'm out of ideas how to quick-start with if_ipsec(4) and IKEv1. >=20 > I'm familar with security/ipsec-tools, but I couldn't find out how > racoon(8) would interact with cloned if_ipsec(4) interfaces yet. You need to manually configure if_ipsec interface, i.e. assign tunnel addresses and bring it up. After that you need to configure racoon to reply for ACQUIRE messages when some traffic will go trough configured tunnel. So, you configure if_ipsec tunnel and it creates security policies, these policies will produce ACQUIRE requests to racoon and racoon should reply and this will produce needed security associations. > Also, how to tell racoon(8) to generate such tunnel interfaces, hence > policies? > I guess the latter isn't implemented in racoon(8) (yet). I think there are not any IKE daemons that can do this. > But is racoon(8) supposed to work with static policies generated by > if_ipsec(4)? Yes, at least for one tunnel it worked for me. Probably it is possible for several tunnels too. --=20 WBR, Andrey V. Elsukov --88k8H1ddOXqwwgtq65dlR9WMczdAN8niA-- --Lw3hymjuzrREi6ovSVIzKNpo3iH1EJzhf Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlqVN/EACgkQAcXqBBDI oXqd+gf9HuOEQOQQ8bMfXkDARLccHDJ4IvJT5c62TTLo6IiUZlRYMm9R062WjS3Y VeK66BHZ9j817W4PSQgouN0hkJDCa9reBNqXRsXPgTIY1kr49XRDUORQcTv8pp2A C7x7BQquww6fBmDLmHNbIU3DwLnzV6PilKh4SjNLUlf0RePKV0wgxTt80dtTHoRo 5kV60Xuc2uyO24K7e7unDuen4t6HELq0rzgQVH0sZKZvyCnrGtb3lJl4om5dojS0 sC727YxnI+eu9ZTnrlRRblrHoXUzzOn60jHOzmb7fp1tY3hZfyp65MCodGESAMER 0m5Wj6TGkcdpFQ7U6vidzidRQYJq5A== =VMbD -----END PGP SIGNATURE----- --Lw3hymjuzrREi6ovSVIzKNpo3iH1EJzhf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?04174d98-c35d-b88b-d0db-ac579b153c57>