From owner-freebsd-questions@freebsd.org  Sat Jan 11 13:36:18 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id E94A61EA53B
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Sat, 11 Jan 2020 13:36:18 +0000 (UTC) (envelope-from vit@otcnet.ru)
Received: from mail.otcnet.ru (mail.otcnet.ru [194.190.78.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 47w18d6SSsz44wG
 for <freebsd-questions@freebsd.org>; Sat, 11 Jan 2020 13:36:17 +0000 (UTC)
 (envelope-from vit@otcnet.ru)
Received: from MacBook-Gamov.local (unknown [195.91.148.145])
 by mail.otcnet.ru (Postfix) with ESMTPSA id 008EA6E73B
 for <freebsd-questions@freebsd.org>; Sat, 11 Jan 2020 16:36:09 +0300 (MSK)
Subject: Re: replacement of security/ipsec-tools
To: freebsd-questions@freebsd.org
References: <50378AC0-0A0A-4E33-961F-3D180987A8C1@ellael.org>
 <20200110035009.GB67842@admin.sibptus.ru>
From: Victor Gamov <vit@otcnet.ru>
Organization: OstankinoTelecom
Message-ID: <04c75aaa-d844-2ddc-a437-e2bcab2a7b22@otcnet.ru>
Date: Sat, 11 Jan 2020 16:35:34 +0300
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0)
 Gecko/20100101 Thunderbird/68.3.1
MIME-Version: 1.0
In-Reply-To: <20200110035009.GB67842@admin.sibptus.ru>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 47w18d6SSsz44wG
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of vit@otcnet.ru designates 194.190.78.3 as
 permitted sender) smtp.mailfrom=vit@otcnet.ru
X-Spamd-Result: default: False [-5.45 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+a:mail.otcnet.ru];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1];
 HAS_ORG_HEADER(0.00)[]; DMARC_NA(0.00)[otcnet.ru];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 IP_SCORE(-3.25)[ip: (-8.55), ipnet: 194.190.78.0/24(-4.27), asn: 50822(-3.42),
 country: RU(0.01)]; RCVD_NO_TLS_LAST(0.10)[];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:50822, ipnet:194.190.78.0/24, country:RU];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jan 2020 13:36:19 -0000

I successfully use strongswan about 2 years to connect FreeBSD-FreeBSD 
and FreeBSD-Cisco

Configuration is simple:

===== /usr/local/stc/rc.conf.d/netif/ipec2001:
cloned_interfaces="$cloned_interfaces ipsec2001"
create_args_ipsec2001="reqid 2001"
ifconfig_ipsec2001="inet 10.10.01.2 10.10.01.3 netmask 255.255.255.254 
tunnel <local_WAN_ip> <remote_WAN_ip> up"
=====

===== /usr/local/etc/ipsec.conf
conn tmpl_AES256_SHA256
   left = <local_WAN_ip>
   leftsubnet = 0.0.0.0/0
   rightsubnet = 0.0.0.0/0
   authby = psk
   keyexchange = ikev1
   ike = aes256-sha256-modp2048
   esp = aes256-sha256
   ikelifetime = 28800
   mobike = no
   installpolicy = no
   lifetime = 3600
   auto = start

conn REMOTE1
   right = <remote_WAN_ip>
   reqid = 2001
   also = tmpl_AES256_SHA256
=====

===== /usr/local/etc/ipsec.secrets
<remote_WAN_ip>	<local_WAN_ip> : PSK "super-secret-PSK"
=====

On 10/01/2020 06:50, Victor Sudakov wrote:
> Michael Grimm wrote:
>> [X-posted, please chose the relevant ML for such a thread]
>> 
>> Hi,
>> 
>> I am running ipsec-tools to implement a VPN tunnel (esp) between
>> two hosts for years now.
>> 
>> But this statement on http://ipsec-tools.sourceforge.net makes me
>> think about an alternative: The development of ipsec-tools has been
>> ABANDONED. ipsec-tools has security issues, and you should not use
>> it. Please switch to a secure alternative!
>> 
>> Could you provide me with links where I could find more details
>> about the above mentioned 'security issues'? I want to find out, if
>> my specific setup has security issues at all. Thanks.
>> 
>> What would be a secure alternative if one is needed? #)
>> security/racoon2 #) security/strongswan #) something else?
> 
> There was also security/isakmpd but is marked as BROKEN now.
> 
> I've been told that strongswan works on FreeBSD. I've tried
> installing strongswan, but it looks too complex and tricky in
> comparison with racoon.
> 
> If you ever find good documentation/howto  for strongswan on
> FreeBSD, please share with me.
> 
>> 
>> What do I need? #) a VPN tunnel between two hosts #) both local
>> networks reachable from the remote host
> 
> That is what kernel IPSec is for, you can even do it on static keys 
> without any ISAKMP daemon like racoon. See an example in
> if_ipsec(4).
> 

-- 
CU,
Victor Gamov