IKEv2/IPSEC "Road Warrior" VPN Tunneling?

[Karl Denninger]

On 5/13/2013 8:44 AM, VANHULLEBUS Yvan wrote:
> On Wed, Apr 17, 2013 at 11:57:19AM +0200, Willy Offermans wrote:
>> Hello Karl and FreeBSD friends,
> Hi all.
>
>> I recall having read about racoon and roadwarrior. Have a look to
>> /usr/local/share/examples/ipsec-tools/, if you have installed it. I'm also
>> planning to install this on my server. However I have only little time at
>> the moment. I'm also looking for examples of configuration files to work 
>> with.
> First, ipsec-tools is for IKEv1 only, as the subject of the original
> mail talks about IKEv2.
>
> For IKEv1 (with ipsec-tools), the simplest way to do this would be to
> create a remote "anonymous" and a sainfo "anonymous" section, with
> "generate_policy" set to on: racoon will negociate phase 1 / phase 2,
> then will generate SPD entries from peer's proposal.
>
> Of course, this means that you'll have to trust what your peers will
> negociate as traffic endpoints !
>
> If you have some more time to spend on configuration (recommanded !),
> you can specify traffic endpoints for the sainfo section: valid
> endpoints (which match the sainfo) negociated by peer will work as
> described upper, and other traffic endpoints will not negociate, as
> racoon won't find any related sainfo.
>
>
> Yvan.
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>
>
I have successfully configured StrongSwan for IPSEC/IKEv2 and have it
operating both with Windows clients and also with the BlackBerry Z-10. 
It is fast and works very well; I went for the current source directly
rather than the port as I wanted to enable a number of options.

If readers believe there's value in posting the "recipe" I used here let
me know.

-- 
Karl Denninger
karl at denninger.net
/Cuda Systems LLC/