replacement of security/ipsec-tools

Victor Sudakov vas at sibptus.ru
Mon Jan 13 09:34:54 UTC 2020


Victor Gamov wrote:
> I successfully use strongswan about 2 years to connect FreeBSD-FreeBSD and
> FreeBSD-Cisco

Victor, have you any experience with Windows hosts (FreeBSD - Windows IPSec)?

> 
> Configuration is simple:
> 
> ===== /usr/local/stc/rc.conf.d/netif/ipec2001:
> cloned_interfaces="$cloned_interfaces ipsec2001"
> create_args_ipsec2001="reqid 2001"
> ifconfig_ipsec2001="inet 10.10.01.2 10.10.01.3 netmask 255.255.255.254
> tunnel <local_WAN_ip> <remote_WAN_ip> up"
> =====
> 
> ===== /usr/local/etc/ipsec.conf
> conn tmpl_AES256_SHA256
>   left = <local_WAN_ip>
>   leftsubnet = 0.0.0.0/0
>   rightsubnet = 0.0.0.0/0
>   authby = psk
>   keyexchange = ikev1
>   ike = aes256-sha256-modp2048
>   esp = aes256-sha256
>   ikelifetime = 28800
>   mobike = no
>   installpolicy = no
>   lifetime = 3600
>   auto = start
> 
> conn REMOTE1
>   right = <remote_WAN_ip>
>   reqid = 2001
>   also = tmpl_AES256_SHA256
> =====

Thank you, so the "installpolicy = no" and "reqid = XXXX" parameters are
crucial for strongswan to bind to an existing SPD entry (created by
if_ipsec) instead of installing its own.


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20200113/583ecc22/attachment.sig>


More information about the freebsd-questions mailing list