Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 13 May 2013 17:36:38 +0300
From:      Sami Halabi <sodynet1@gmail.com>
To:        Karl Denninger <karl@denninger.net>
Cc:        VANHULLEBUS Yvan <vanhu@freebsd.org>, freebsd-stable@freebsd.org
Subject:   Re: IKEv2/IPSEC "Road Warrior" VPN Tunneling?
Message-ID:  <CAEW%2BogauYOHr=sHLJAbi36sbt_s-4VfR8EgD1j6ZueavoMRyww@mail.gmail.com>
In-Reply-To: <5190F0F9.3040908@denninger.net>
References:  <516739C9.4080902@denninger.net> <20130417095719.GH3480@vpn.offrom.nl> <20130513134415.GA20624@zeninc.net> <5190F0F9.3040908@denninger.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Please share the confs.

Sami
On May 13, 2013 5:25 PM, "Karl Denninger" <karl@denninger.net> wrote:

> On 5/13/2013 8:44 AM, VANHULLEBUS Yvan wrote:
> > On Wed, Apr 17, 2013 at 11:57:19AM +0200, Willy Offermans wrote:
> >> Hello Karl and FreeBSD friends,
> > Hi all.
> >
> >> I recall having read about racoon and roadwarrior. Have a look to
> >> /usr/local/share/examples/ipsec-tools/, if you have installed it. I'm
> also
> >> planning to install this on my server. However I have only little time
> at
> >> the moment. I'm also looking for examples of configuration files to work
> >> with.
> > First, ipsec-tools is for IKEv1 only, as the subject of the original
> > mail talks about IKEv2.
> >
> > For IKEv1 (with ipsec-tools), the simplest way to do this would be to
> > create a remote "anonymous" and a sainfo "anonymous" section, with
> > "generate_policy" set to on: racoon will negociate phase 1 / phase 2,
> > then will generate SPD entries from peer's proposal.
> >
> > Of course, this means that you'll have to trust what your peers will
> > negociate as traffic endpoints !
> >
> > If you have some more time to spend on configuration (recommanded !),
> > you can specify traffic endpoints for the sainfo section: valid
> > endpoints (which match the sainfo) negociated by peer will work as
> > described upper, and other traffic endpoints will not negociate, as
> > racoon won't find any related sainfo.
> >
> >
> > Yvan.
> > _______________________________________________
> > freebsd-stable@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org
> "
> >
> >
> I have successfully configured StrongSwan for IPSEC/IKEv2 and have it
> operating both with Windows clients and also with the BlackBerry Z-10.
> It is fast and works very well; I went for the current source directly
> rather than the port as I wanted to enable a number of options.
>
> If readers believe there's value in posting the "recipe" I used here let
> me know.
>
> --
> Karl Denninger
> karl@denninger.net
> /Cuda Systems LLC/
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEW%2BogauYOHr=sHLJAbi36sbt_s-4VfR8EgD1j6ZueavoMRyww>