replacement of security/ipsec-tools
Victor Sudakov
vas at sibptus.ru
Mon Jan 13 09:34:54 UTC 2020
Victor Gamov wrote:
> I successfully use strongswan about 2 years to connect FreeBSD-FreeBSD and
> FreeBSD-Cisco
Victor, have you any experience with Windows hosts (FreeBSD - Windows IPSec)?
>
> Configuration is simple:
>
> ===== /usr/local/stc/rc.conf.d/netif/ipec2001:
> cloned_interfaces="$cloned_interfaces ipsec2001"
> create_args_ipsec2001="reqid 2001"
> ifconfig_ipsec2001="inet 10.10.01.2 10.10.01.3 netmask 255.255.255.254
> tunnel <local_WAN_ip> <remote_WAN_ip> up"
> =====
>
> ===== /usr/local/etc/ipsec.conf
> conn tmpl_AES256_SHA256
> left = <local_WAN_ip>
> leftsubnet = 0.0.0.0/0
> rightsubnet = 0.0.0.0/0
> authby = psk
> keyexchange = ikev1
> ike = aes256-sha256-modp2048
> esp = aes256-sha256
> ikelifetime = 28800
> mobike = no
> installpolicy = no
> lifetime = 3600
> auto = start
>
> conn REMOTE1
> right = <remote_WAN_ip>
> reqid = 2001
> also = tmpl_AES256_SHA256
> =====
Thank you, so the "installpolicy = no" and "reqid = XXXX" parameters are
crucial for strongswan to bind to an existing SPD entry (created by
if_ipsec) instead of installing its own.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20200113/583ecc22/attachment.sig>
More information about the freebsd-questions
mailing list