On 09.08.2018 23:11, David P. Discher wrote: > The documentation for using IPSec (especially if_ipsec) is really thin > for freebsd, so I pieced some of this together from various posts and > mailing lists threads. > > Is there no need for racoon ? How in this example is the IKE/ISAKMP > setup done ? Is setkey doing this ?
> This is 11.2-stable, shortly after release … I don’t have this sysctl. This is manually configured tunnel between two FreeBSD 12.0-CURRENT hosts. I can suggest to try patch and config from this post: https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html >> Need to see your setkey.conf, or at least the output of setkey -D.. > > > setkey.conf is : > > flush; > spdflush; > > spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P out ipsec > esp/tunnel/10.245.0.201-10.245.0.202/unique:12; > spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P in ipsec > esp/tunnel/10.245.0.202-10.245.0.201/unique:12; > spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P out ipsec > esp/tunnel/10.245.0.201-10.245.0.203/unique:4; > spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P in ipsec > esp/tunnel/10.245.0.203-10.245.0.201/unique:4; You don't need to create security policies for if_ipsec interfaces. They are created by interface automatically. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
