replacement of security/ipsec-tools
Victor Sudakov
vas at sibptus.ru
Tue Jan 14 10:24:09 UTC 2020
Karl Denninger wrote:
> >
> > For the present, however, I'm interested not in an IPSec VPN (in Windows
> > terminology) but in a simple transport mode IPSec between a FreeBSD and a
> > Windows host.
> >
> > My only option for that is IKEv1 because IKEv2 is configured on Windows
> > 10 and Windows 2016 from PowerShell only, and I need to configure a
> > secure connection via Group Policy editor (mmc). I'm still too weak of
> > heart to use PowerShell for IPSec setup.
> >
> > I have this working successfully with racoon (on pre-shared keys) and am
> > investigating the possibility to replace racoon with strongswan.
>
> Gotcha.... I misunderstood the application... I've not attempted to set
> that up here....
In the Windows IPSec GPO, there are two options for PFS:
1. "Master key PFS" in IKE settings: http://admin.sibptus.ru/~vas/pfs_ike.jpg
2. "Use session key PFS" in ESP settings: http://admin.sibptus.ru/~vas/pfs_esp.jpg
By default (in a GPO created from scratch) both are unchecked.
Do you perchance know which connection parameters in Strongswan do they
correspond to?
Please note that the DF group for IKE is configured separately, and can
be set to 1, 2, or 2048.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20200114/e5c2e328/attachment.sig>
More information about the freebsd-questions
mailing list