Discussion:
replacement of security/ipsec-tools
(too old to reply)
Michael Grimm
2020-01-02 22:06:53 UTC
Permalink
[X-posted, please chose the relevant ML for such a thread]

Hi,

I am running ipsec-tools to implement a VPN tunnel (esp) between two hosts for years now.

But this statement on http://ipsec-tools.sourceforge.net makes me think about an alternative:
The development of ipsec-tools has been ABANDONED.
ipsec-tools has security issues, and you should not use it. Please switch to a secure alternative!

Could you provide me with links where I could find more details about the above mentioned 'security issues'? I want to find out, if my specific setup has security issues at all. Thanks.

What would be a secure alternative if one is needed?
#) security/racoon2
#) security/strongswan
#) something else?

What do I need?
#) a VPN tunnel between two hosts
#) both local networks reachable from the remote host

Thanks and regards,
Michael

_______________________________________________
freebsd-***@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-***@freebsd.org"

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Kurt Jaeger
2020-01-02 23:28:19 UTC
Permalink
Hi!
Post by Michael Grimm
What would be a secure alternative if one is needed?
#) security/racoon2
#) security/strongswan
This is also ipsec based.
Post by Michael Grimm
#) something else?
openvpn or wireguard
--
***@opsec.eu +49 171 3101372 Now what ?
_______________________________________________
freebsd-***@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-***@freebsd.org"

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Eugene Grosbein
2020-01-09 16:39:41 UTC
Permalink
Post by Michael Grimm
I am running ipsec-tools to implement a VPN tunnel (esp) between two hosts for years now.
The development of ipsec-tools has been ABANDONED.
ipsec-tools has security issues, and you should not use it. Please switch to a secure alternative!
Could you provide me with links where I could find more details about the above mentioned 'security issues'?
Our port of ipsec-tools has fixes for all known security issues (f.e. CVE-2016-10396),
so you may safely continue using it provided you have latest port/package.

_______________________________________________
freebsd-***@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-***@freebsd.org"

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Michael Grimm
2020-01-11 11:14:35 UTC
Permalink
First of all, I'd like to thank all of you for your input, which helped a lot.
Post by Michael Grimm
I am running ipsec-tools to implement a VPN tunnel (esp) between two hosts for years now.
The development of ipsec-tools has been ABANDONED.
ipsec-tools has security issues, and you should not use it. Please switch to a secure alternative!
Could you provide me with links where I could find more details about the above mentioned 'security issues'? I want to find out, if my specific setup has security issues at all. Thanks.
Well, now I do know that security patches have been applied to security/ipsec-tools. Thus one can ignore "Please switch to a secure alternative!"
Post by Michael Grimm
What would be a secure alternative if one is needed?
#) security/racoon2
#) security/strongswan
#) something else?
There was also security/isakmpd but is marked as BROKEN now.
I've been told that strongswan works on FreeBSD. I've tried installing
strongswan, but it looks too complex and tricky in comparison with
racoon.
If you ever find good documentation/howto for strongswan on FreeBSD,
please share with me.
Sorry, but I never tried strongswan as a replacement, mainly due to the reasons you mentioned as well: I couldn't get it running. Thus I used racoon instead.

Kurt mentioned wireguard. I could get the tunnel running, but I failed in getting the routing at both sites running (in my preliminary tests).
Post by Michael Grimm
What do I need?
#) a VPN tunnel between two hosts
#) both local networks reachable from the remote host
That is what kernel IPSec is for, you can even do it on static keys
without any ISAKMP daemon like racoon. See an example in if_ipsec(4).
I did install my IPSEC/racoon tunnel many years ago and missed the recent implementation of if_ipsec completely.

Victor, thank you very, very much for pointing me to this interface. Now, my tunnel is far less complicated to implement[1], and I will no longer need security/ipsec-tools at all!

[1] Following if_ipsec(4) and https://github.com/opnsense/core/issues/2332#issuecomment-379181820, because the example with "right" and "left" notation helped to understand if_ipsec(4) better (for me).

Thanks and regards,
Michael


_______________________________________________
freebsd-***@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-***@freebsd.org"

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Continue reading on narkive:
Search results for 'replacement of security/ipsec-tools' (Questions and Answers)
6
replies
What is a WEP KEY?
started 2008-02-16 12:22:08 UTC
video & online games
Loading...