# ipsec vpn documentation ipsec-tools required



## tonyhain (Nov 23, 2019)

Is there a reason that the ipsec vpn document 13.7 requires ipsec-tools when the ipsec-tools repository shows

```
2014 and later
Development abandoned

ipsec-tools has security issues, and you should not use it
```

I could understand a recent change, but 5 years later seems like something is being overlooked. Is there an alternative that I am just missing somewhere?


----------



## unitrunker (Nov 23, 2019)

There is also ...

https://www.freshports.org/security/racoon2/

I think this commit log entry explains:



> The security/racoon2 port broke when FreeBSD-CURRENT switched to openssl111. Unfortunately racoon is no longer maintained by the now defunct KAME project, which officially concluded in March 2006 (see http://www.kame.net/). However the good news is that racoon2 was forked on github and is maintained by Christos Zoulas, a NetBSD committer (christos@NetBSD.org). This commit switches from the no longer maintained KAME version of racoon2 to the fork maintained at by Christos Zoulas on github (https://github.com/zoulasc).
> 
> This commit resolves building with openssl111 on FreeBSD-CURRENT. Looking through Christos' logs on github this resolves many other issues. As can bee seen, the many patches required to wedge this fork of racoon2 into our ports tree fixed many issues in the base software. These will be pushed upstream over time, when time permits.


----------



## SirDice (Nov 25, 2019)

Also try security/strongswan.


----------



## tonyhain (Nov 25, 2019)

I understand strongswan is an option. My point was that the base documentation makes no mention that the section references an abandoned port. Given that this is a security function, one would hope that people are not being misled to install software with known flaws rather than being redirected. Even a simple banner at the top of the page noting that status and any recommendation would be better than what is there. 

I am not convinced that the content should go away as there may be people with old vpn servers that only do ikev1, so this may still be useful as long as they understand the risks. For the long term the default should be replaced though.


----------



## SirDice (Nov 26, 2019)

The handbook is, much like everything else, mostly user contributed. Anybody can submit updates or provide better documentation. 

FreeBSD Documentation Project Primer for New Contributors


----------



## tpfiler (Jan 6, 2020)

Would there be any conflicts if I use both racoon and strongswan simultaneously? I am running racoon and would like to run strongswan for better stability and security but maintain the racoon tunnels I already have and just add new ones with strongswan.


----------

