replacement of security/ipsec-tools

Victor Gamov vit at otcnet.ru
Sat Jan 11 13:36:19 UTC 2020 

I successfully use strongswan about 2 years to connect FreeBSD-FreeBSD 
and FreeBSD-Cisco

Configuration is simple:

===== /usr/local/stc/rc.conf.d/netif/ipec2001:
cloned_interfaces="$cloned_interfaces ipsec2001"
create_args_ipsec2001="reqid 2001"
ifconfig_ipsec2001="inet 10.10.01.2 10.10.01.3 netmask 255.255.255.254 
tunnel <local_WAN_ip> <remote_WAN_ip> up"
=====

===== /usr/local/etc/ipsec.conf
conn tmpl_AES256_SHA256
   left = <local_WAN_ip>
   leftsubnet = 0.0.0.0/0
   rightsubnet = 0.0.0.0/0
   authby = psk
   keyexchange = ikev1
   ike = aes256-sha256-modp2048
   esp = aes256-sha256
   ikelifetime = 28800
   mobike = no
   installpolicy = no
   lifetime = 3600
   auto = start

conn REMOTE1
   right = <remote_WAN_ip>
   reqid = 2001
   also = tmpl_AES256_SHA256
=====

===== /usr/local/etc/ipsec.secrets
<remote_WAN_ip>	<local_WAN_ip> : PSK "super-secret-PSK"
=====

On 10/01/2020 06:50, Victor Sudakov wrote:
> Michael Grimm wrote:
>> [X-posted, please chose the relevant ML for such a thread]
>> 
>> Hi,
>> 
>> I am running ipsec-tools to implement a VPN tunnel (esp) between
>> two hosts for years now.
>> 
>> But this statement on http://ipsec-tools.sourceforge.net makes me
>> think about an alternative: The development of ipsec-tools has been
>> ABANDONED. ipsec-tools has security issues, and you should not use
>> it. Please switch to a secure alternative!
>> 
>> Could you provide me with links where I could find more details
>> about the above mentioned 'security issues'? I want to find out, if
>> my specific setup has security issues at all. Thanks.
>> 
>> What would be a secure alternative if one is needed? #)
>> security/racoon2 #) security/strongswan #) something else?
> 
> There was also security/isakmpd but is marked as BROKEN now.
> 
> I've been told that strongswan works on FreeBSD. I've tried
> installing strongswan, but it looks too complex and tricky in
> comparison with racoon.
> 
> If you ever find good documentation/howto  for strongswan on
> FreeBSD, please share with me.
> 
>> 
>> What do I need? #) a VPN tunnel between two hosts #) both local
>> networks reachable from the remote host
> 
> That is what kernel IPSec is for, you can even do it on static keys 
> without any ISAKMP daemon like racoon. See an example in
> if_ipsec(4).
> 

-- 
CU,
Victor Gamov

More information about the freebsd-questions mailing list