replacement of security/ipsec-tools

Victor Sudakov vas at sibptus.ru
Sat Jan 11 11:23:15 UTC 2020 

Victor Sudakov wrote:
> > 
> > If you ever find good documentation/howto  for strongswan on FreeBSD,
> > please share with me.
> 
> Really, please! I know there are people present here using strongswan.
> 
> I would like to try and replace racoon with it.

Now thanks to Sergey Matveev and some good docs on
https://wiki.strongswan.org/ , I have some working examples of
strongswan usage.  I must admit it is rather elegant.

But for this bug-or-feature: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242744 
I could even easily and elegantly secure all communications between my
FreeBSD hosts (I can't of course due to the above bug, but this is not
strongswan's fault).

However, not the same with Windows. By much experimenting, I once
created a working configuration for IPsec transport mode between FreeBSD
and Windows with racoon:

remote "win2012" {
        exchange_mode main;
        my_identifier address;
        peers_identifier address;
        remote_address 192.168.246.12;
        proposal_check obey;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }                                                                                                                               
}                                                                                                                                       
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes,3des;
        authentication_algorithm hmac_sha512,hmac_sha384,hmac_sha256,hmac_sha1;
        compression_algorithm deflate ;
}                                                                                                                                       

But now when I try to replace racoon with strongswan, the following
configuration does not work:

conn Win2012
    keyexchange = ikev1
    ike=3des-sha1-modp1024!
    esp=3des-sha1-modp1024!
    left=192.168.246.1
    right=192.168.246.12
    type=transport
    compress=yes
    authby=psk
    auto=route

In Wireshark, I see ISAKMP exchange between 192.168.246.1 and
192.168.246.12. Also "service strongswan status" reports that there is a SA:

Security Associations (1 up, 0 connecting):
     Win2012[5]: ESTABLISHED 114 seconds ago, 192.168.246.1[192.168.246.1]...192.168.246.12[192.168.246.12]

but in fact there are none:

# setkey -D
No SAD entries.




-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20200111/22f7f986/attachment.sig>

More information about the freebsd-net mailing list