[RFC/RFT] projects/ipsec
Ermal Luçi
eri at freebsd.org
Wed Dec 28 04:08:50 UTC 2016
On Tue, Dec 27, 2016 at 6:10 AM, Andrey V. Elsukov <bu7cher at yandex.ru>
wrote:
> On 27.12.2016 16:15, Jim Thompson wrote:
>
>> In it's initial state if_ipsec allows to use only one set of
>>> encryption parameters (because only one sainfo anonyumous is
>>> possible), so at this time it doesn't allow to create multiple
>>> tunnels with VPN hubs that use different cipers and/or transform
>>> sets, but as far as I understand this is subject to change and
>>> Andrey is already working on a support of this feature from
>>> ipsec-tools IKE daemon.
>>>
>>
>> pfSense (which you mention below) is using strongswan, so when
>> Andrey is finished with ipsec-tools, we will need to review his
>> changes and see what we can do for strongswan.
>>
>> I'm looking forward to the mutliple-tunnel support, which is
>> required for pfSense.
>>
>
> There are no such limits. You can create multiple VTI interfaces.
> The problem is in with racoon configuration restrictions. It looks like
> ipsec-tools project is dead, I didn't received any replies from
> ipsec-tools-devel mailing list.
>
> I'm not aware how to configure strongswan, so if someone will not try to
> do this, I don't know when I will do this.
>
>
Strongswan already supports this.
Just the FreeBSD code for it is not there due to the missing feature until
now.
> --
> WBR, Andrey V. Elsukov
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
> --
> Ermal
>
More information about the freebsd-current
mailing list