Victor Sudakov <v...@sibptus.ru> wrote: > Michael Grimm wrote: First of all, I'd like to thank all of you for your input, which helped a lot.
>> I am running ipsec-tools to implement a VPN tunnel (esp) between two hosts >> for years now. >> >> But this statement on http://ipsec-tools.sourceforge.net makes me think >> about an alternative: >> The development of ipsec-tools has been ABANDONED. >> ipsec-tools has security issues, and you should not use it. Please >> switch to a secure alternative! >> >> Could you provide me with links where I could find more details about the >> above mentioned 'security issues'? I want to find out, if my specific setup >> has security issues at all. Thanks. Well, now I do know that security patches have been applied to security/ipsec-tools. Thus one can ignore "Please switch to a secure alternative!" >> What would be a secure alternative if one is needed? >> #) security/racoon2 >> #) security/strongswan >> #) something else? > > There was also security/isakmpd but is marked as BROKEN now. > > I've been told that strongswan works on FreeBSD. I've tried installing > strongswan, but it looks too complex and tricky in comparison with > racoon. > > If you ever find good documentation/howto for strongswan on FreeBSD, > please share with me. Sorry, but I never tried strongswan as a replacement, mainly due to the reasons you mentioned as well: I couldn't get it running. Thus I used racoon instead. Kurt mentioned wireguard. I could get the tunnel running, but I failed in getting the routing at both sites running (in my preliminary tests). Then this mail made my day: >> What do I need? >> #) a VPN tunnel between two hosts >> #) both local networks reachable from the remote host > > That is what kernel IPSec is for, you can even do it on static keys > without any ISAKMP daemon like racoon. See an example in if_ipsec(4). I did install my IPSEC/racoon tunnel many years ago and missed the recent implementation of if_ipsec completely. Victor, thank you very, very much for pointing me to this interface. Now, my tunnel is far less complicated to implement[1], and I will no longer need security/ipsec-tools at all! [1] Following if_ipsec(4) and https://github.com/opnsense/core/issues/2332#issuecomment-379181820, because the example with "right" and "left" notation helped to understand if_ipsec(4) better (for me). Thanks and regards, Michael _______________________________________________ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
