if_ipsec(4) and IKEv1 [security/ipsec-tools, racoon.conf]
Andrey V. Elsukov
bu7cher at yandex.ru
Tue Feb 27 10:52:02 UTC 2018
On 27.02.2018 12:56, Harry Schmalzbauer wrote:
> Hello,
>
> I'm out of ideas how to quick-start with if_ipsec(4) and IKEv1.
>
> I'm familar with security/ipsec-tools, but I couldn't find out how
> racoon(8) would interact with cloned if_ipsec(4) interfaces yet.
You need to manually configure if_ipsec interface, i.e. assign tunnel
addresses and bring it up. After that you need to configure racoon to
reply for ACQUIRE messages when some traffic will go trough configured
tunnel. So, you configure if_ipsec tunnel and it creates security
policies, these policies will produce ACQUIRE requests to racoon and
racoon should reply and this will produce needed security associations.
> Also, how to tell racoon(8) to generate such tunnel interfaces, hence
> policies?
> I guess the latter isn't implemented in racoon(8) (yet).
I think there are not any IKE daemons that can do this.
> But is racoon(8) supposed to work with static policies generated by
> if_ipsec(4)?
Yes, at least for one tunnel it worked for me. Probably it is possible
for several tunnels too.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20180227/c9115e73/attachment.sig>
More information about the freebsd-net
mailing list