replacement of security/ipsec-tools
Michael Grimm
trashcan at ellael.org
Sat Jan 11 11:21:05 UTC 2020
Victor Sudakov <vas at sibptus.ru> wrote:
> Michael Grimm wrote:
First of all, I'd like to thank all of you for your input, which helped a lot.
>> I am running ipsec-tools to implement a VPN tunnel (esp) between two hosts for years now.
>>
>> But this statement on http://ipsec-tools.sourceforge.net makes me think about an alternative:
>> The development of ipsec-tools has been ABANDONED.
>> ipsec-tools has security issues, and you should not use it. Please switch to a secure alternative!
>>
>> Could you provide me with links where I could find more details about the above mentioned 'security issues'? I want to find out, if my specific setup has security issues at all. Thanks.
Well, now I do know that security patches have been applied to security/ipsec-tools. Thus one can ignore "Please switch to a secure alternative!"
>> What would be a secure alternative if one is needed?
>> #) security/racoon2
>> #) security/strongswan
>> #) something else?
>
> There was also security/isakmpd but is marked as BROKEN now.
>
> I've been told that strongswan works on FreeBSD. I've tried installing
> strongswan, but it looks too complex and tricky in comparison with
> racoon.
>
> If you ever find good documentation/howto for strongswan on FreeBSD,
> please share with me.
Sorry, but I never tried strongswan as a replacement, mainly due to the reasons you mentioned as well: I couldn't get it running. Thus I used racoon instead.
Kurt mentioned wireguard. I could get the tunnel running, but I failed in getting the routing at both sites running (in my preliminary tests).
Then this mail made my day:
>> What do I need?
>> #) a VPN tunnel between two hosts
>> #) both local networks reachable from the remote host
>
> That is what kernel IPSec is for, you can even do it on static keys
> without any ISAKMP daemon like racoon. See an example in if_ipsec(4).
I did install my IPSEC/racoon tunnel many years ago and missed the recent implementation of if_ipsec completely.
Victor, thank you very, very much for pointing me to this interface. Now, my tunnel is far less complicated to implement[1], and I will no longer need security/ipsec-tools at all!
[1] Following if_ipsec(4) and https://github.com/opnsense/core/issues/2332#issuecomment-379181820, because the example with "right" and "left" notation helped to understand if_ipsec(4) better (for me).
Thanks and regards,
Michael
More information about the freebsd-questions
mailing list