replacement of security/ipsec-tools

Victor Sudakov vas at sibptus.ru
Fri Jan 10 03:50:11 UTC 2020


Michael Grimm wrote:
> [X-posted, please chose the relevant ML for such a thread]
> 
> Hi,
> 
> I am running ipsec-tools to implement a VPN tunnel (esp) between two hosts for years now.
> 
> But this statement on http://ipsec-tools.sourceforge.net makes me think about an alternative:
> 	The development of ipsec-tools has been ABANDONED. 
> 	ipsec-tools has security issues, and you should not use it. Please switch to a secure alternative! 
> 
> Could you provide me with links where I could find more details about the above mentioned 'security issues'? I want to find out, if my specific setup has security issues at all. Thanks.
> 
> What would be a secure alternative if one is needed? 
> 	#) security/racoon2
> 	#) security/strongswan
> 	#) something else?

There was also security/isakmpd but is marked as BROKEN now.

I've been told that strongswan works on FreeBSD. I've tried installing
strongswan, but it looks too complex and tricky in comparison with
racoon.

If you ever find good documentation/howto  for strongswan on FreeBSD,
please share with me.

> 
> What do I need?
> 	#) a VPN tunnel between two hosts
> 	#) both local networks reachable from the remote host

That is what kernel IPSec is for, you can even do it on static keys
without any ISAKMP daemon like racoon. See an example in if_ipsec(4).

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20200110/9bbc600e/attachment.sig>


More information about the freebsd-questions mailing list