replacement of security/ipsec-tools

Michael Grimm trashcan at ellael.org
Sat Jan 11 11:21:05 UTC 2020 

Victor Sudakov <vas at sibptus.ru> wrote:
> Michael Grimm wrote:

First of all, I'd like to thank all of you for your input, which helped a lot.

>> I am running ipsec-tools to implement a VPN tunnel (esp) between two hosts for years now.
>> 
>> But this statement on http://ipsec-tools.sourceforge.net makes me think about an alternative:
>> 	The development of ipsec-tools has been ABANDONED. 
>> 	ipsec-tools has security issues, and you should not use it. Please switch to a secure alternative! 
>> 
>> Could you provide me with links where I could find more details about the above mentioned 'security issues'? I want to find out, if my specific setup has security issues at all. Thanks.

Well, now I do know that security patches have been applied to security/ipsec-tools. Thus one can ignore "Please switch to a secure alternative!"

>> What would be a secure alternative if one is needed? 
>> 	#) security/racoon2
>> 	#) security/strongswan
>> 	#) something else?
> 
> There was also security/isakmpd but is marked as BROKEN now.
> 
> I've been told that strongswan works on FreeBSD. I've tried installing
> strongswan, but it looks too complex and tricky in comparison with
> racoon.
> 
> If you ever find good documentation/howto  for strongswan on FreeBSD,
> please share with me.

Sorry, but I never tried strongswan as a replacement, mainly due to the reasons you mentioned as well: I couldn't get it running. Thus I used racoon instead.

Kurt mentioned wireguard. I could get the tunnel running, but I failed in getting the routing at both sites running (in my preliminary tests).

Then this mail made my day:

>> What do I need?
>> 	#) a VPN tunnel between two hosts
>> 	#) both local networks reachable from the remote host
> 
> That is what kernel IPSec is for, you can even do it on static keys
> without any ISAKMP daemon like racoon. See an example in if_ipsec(4).

I did install my IPSEC/racoon tunnel many years ago and missed the recent implementation of if_ipsec completely. 

Victor, thank you very, very much for pointing me to this interface. Now, my tunnel is far less complicated to implement[1], and I will no longer need security/ipsec-tools at all! 

[1] Following if_ipsec(4) and https://github.com/opnsense/core/issues/2332#issuecomment-379181820, because the example with "right" and "left" notation helped to understand if_ipsec(4) better (for me).

Thanks and regards,
Michael

More information about the freebsd-questions mailing list