replacement of security/ipsec-tools
Victor Gamov
vit at otcnet.ru
Sat Jan 11 13:36:19 UTC 2020
I successfully use strongswan about 2 years to connect FreeBSD-FreeBSD
and FreeBSD-Cisco
Configuration is simple:
===== /usr/local/stc/rc.conf.d/netif/ipec2001:
cloned_interfaces="$cloned_interfaces ipsec2001"
create_args_ipsec2001="reqid 2001"
ifconfig_ipsec2001="inet 10.10.01.2 10.10.01.3 netmask 255.255.255.254
tunnel <local_WAN_ip> <remote_WAN_ip> up"
=====
===== /usr/local/etc/ipsec.conf
conn tmpl_AES256_SHA256
left = <local_WAN_ip>
leftsubnet = 0.0.0.0/0
rightsubnet = 0.0.0.0/0
authby = psk
keyexchange = ikev1
ike = aes256-sha256-modp2048
esp = aes256-sha256
ikelifetime = 28800
mobike = no
installpolicy = no
lifetime = 3600
auto = start
conn REMOTE1
right = <remote_WAN_ip>
reqid = 2001
also = tmpl_AES256_SHA256
=====
===== /usr/local/etc/ipsec.secrets
<remote_WAN_ip> <local_WAN_ip> : PSK "super-secret-PSK"
=====
On 10/01/2020 06:50, Victor Sudakov wrote:
> Michael Grimm wrote:
>> [X-posted, please chose the relevant ML for such a thread]
>>
>> Hi,
>>
>> I am running ipsec-tools to implement a VPN tunnel (esp) between
>> two hosts for years now.
>>
>> But this statement on http://ipsec-tools.sourceforge.net makes me
>> think about an alternative: The development of ipsec-tools has been
>> ABANDONED. ipsec-tools has security issues, and you should not use
>> it. Please switch to a secure alternative!
>>
>> Could you provide me with links where I could find more details
>> about the above mentioned 'security issues'? I want to find out, if
>> my specific setup has security issues at all. Thanks.
>>
>> What would be a secure alternative if one is needed? #)
>> security/racoon2 #) security/strongswan #) something else?
>
> There was also security/isakmpd but is marked as BROKEN now.
>
> I've been told that strongswan works on FreeBSD. I've tried
> installing strongswan, but it looks too complex and tricky in
> comparison with racoon.
>
> If you ever find good documentation/howto for strongswan on
> FreeBSD, please share with me.
>
>>
>> What do I need? #) a VPN tunnel between two hosts #) both local
>> networks reachable from the remote host
>
> That is what kernel IPSec is for, you can even do it on static keys
> without any ISAKMP daemon like racoon. See an example in
> if_ipsec(4).
>
--
CU,
Victor Gamov
More information about the freebsd-questions
mailing list