IKEv2/IPSEC "Road Warrior" VPN Tunneling?
VANHULLEBUS Yvan
vanhu at FreeBSD.org
Mon May 13 13:51:25 UTC 2013
On Wed, Apr 17, 2013 at 11:57:19AM +0200, Willy Offermans wrote:
> Hello Karl and FreeBSD friends,
Hi all.
> I recall having read about racoon and roadwarrior. Have a look to
> /usr/local/share/examples/ipsec-tools/, if you have installed it. I'm also
> planning to install this on my server. However I have only little time at
> the moment. I'm also looking for examples of configuration files to work
> with.
First, ipsec-tools is for IKEv1 only, as the subject of the original
mail talks about IKEv2.
For IKEv1 (with ipsec-tools), the simplest way to do this would be to
create a remote "anonymous" and a sainfo "anonymous" section, with
"generate_policy" set to on: racoon will negociate phase 1 / phase 2,
then will generate SPD entries from peer's proposal.
Of course, this means that you'll have to trust what your peers will
negociate as traffic endpoints !
If you have some more time to spend on configuration (recommanded !),
you can specify traffic endpoints for the sainfo section: valid
endpoints (which match the sainfo) negociated by peer will work as
described upper, and other traffic endpoints will not negociate, as
racoon won't find any related sainfo.
Yvan.
More information about the freebsd-stable
mailing list