Site Navigation

Date:      Tue, 7 May 2019 23:23:22 +0300
From:      KOT MATPOCKuH <matpockuh@gmail.com>
To:        "Andrey V. Elsukov" <bu7cher@yandex.ru>
Cc:        stable@freebsd.org
Subject:   Re: route based ipsec
Message-ID:  <CALmdT0W6f_X-V6UadxwYpsfbr0m34xANRGN5qWhs-7KMvCyA6A@mail.gmail.com>
In-Reply-To: <a7d8c37c-8712-ded6-4c30-d473bf20f877@yandex.ru>
References:  <CALmdT0Wdb%2B=LHvTaO9MU=MnQvQJEzKT9CXAf2kVPY=AAc=kxVQ@mail.gmail.com> <a7d8c37c-8712-ded6-4c30-d473bf20f877@yandex.ru>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--0000000000000ee3ad058851fc07
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello!

=D0=B2=D1=81, 5 =D0=BC=D0=B0=D1=8F 2019 =D0=B3. =D0=B2 13:50, Andrey V. Els=
ukov <bu7cher@yandex.ru>:


> > 0.The ipsec-tools port currently does not have a maintainer (C)
> portmaster
> > ... Does this solution really supported? Or I should switch to use
> another
> > IKE daemon?
> I think it is unmaintained in upstream too.
>
But why it still recommended in FreeBSD handbook?

> 1. racoon was 3 times crashed with core dump (2 times on one host, 1 time=
s
> > on another host):
> > (gdb) bt
> > #0  0x000000000024417f in isakmp_info_recv ()
> > #1  0x00000000002345f4 in isakmp_main ()
> > #2  0x00000000002307d0 in isakmp_handler ()
> > #3  0x000000000022f10d in session ()
> > #4  0x000000000022e62a in main ()
> >
> > 2. racoon generated 2 SA for each traffic direction (from hostA to
> hostB).
> > IMHO one SA for one each traffic direction should be enough.
>
> Probably you have something wrong in your configuration.
>
I'm misunderstand what in my configuration can result core dumps a running
daemon...
I'm attached a sample racoon.conf. Can You check for possible problems?
Also on one host I got a crash in another function:
(gdb) bt
#0  0x000000000024717f in privsep_init ()
#1  0x00000000002375f4 in inscontacted ()
#2  0x00000000002337d0 in isakmp_plist_set_all ()
#3  0x000000000023210d in isakmp_ph2expire ()
#4  0x000000000023162a in isakmp_ph1delete ()
#5  0x000000000023110b in isakmp_ph2resend ()
#6  0x00000008002aa000 in ?? ()
#7  0x0000000000000000 in ?? ()



Note, that if_ipsec(4) interfaces has own security policies and you need
> to check that racoon doesn't create additional policies. Also,
> if_ipsec(4) uses "reqid" parameter to distinguish IPsec SAs between
> interfaces. I made a patch to add special parameter for racoon, so it is
> possible to use several if_ipsec(4) interfaces. I think it should be in
> port.
> https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html
>
This patch already applied to the ports tree.
But it's not enough in my case :(



> Also you can use strongswan, we use it for some time and have no problems=
.
>
Okey. Thanks You! I will try to use strongswan.

I'm tried to replace rsasig authentication with psk, but without luck. I'm
against got two ipsec sa for each direction....

--=20
MATPOCKuH

--0000000000000ee3ad058851fc07
Content-Type: application/octet-stream; name="racoon.conf"
Content-Disposition: attachment; filename="racoon.conf"
Content-Transfer-Encoding: base64
Content-ID: <f_jve7650u0>
X-Attachment-Id: f_jve7650u0

cGF0aCBjZXJ0aWZpY2F0ZSAiL2V0Yy9zc2wvbmV3IjsKCiMgImxvZyIgc3BlY2lmaWVzIGxvZ2dp
bmcgbGV2ZWwuIEl0IGlzIGZvbGxvd2VkIGJ5IGVpdGhlciAibm90aWZ5IiwgImRlYnVnIgojIG9y
ICJkZWJ1ZzIiLgojbG9nIGRlYnVnOwoKIyAicGFkZGluZyIgZGVmaW5lcyBzb21lIHBhZGRpbmcg
cGFyYW1ldGVycy4gWW91IHNob3VsZCBub3QgdG91Y2ggdGhlc2UuCnBhZGRpbmcgewoJbWF4aW11
bV9sZW5ndGgJMjA7CSMgbWF4aW11bSBwYWRkaW5nIGxlbmd0aC4KCXJhbmRvbWl6ZQlvZmY7CSMg
ZW5hYmxlIHJhbmRvbWl6ZSBsZW5ndGguCglzdHJpY3RfY2hlY2sJb2ZmOwkjIGVuYWJsZSBzdHJp
Y3QgY2hlY2suCglleGNsdXNpdmVfdGFpbAlvZmY7CSMgZXh0cmFjdCBsYXN0IG9uZSBvY3RldC4K
fQoKbGlzdGVuCnsKCWlzYWttcAkJYWFhLmJiYi5jY2MuZGRkIFs1MDBdOwp9CgojIFNwZWNpZnkg
dmFyaW91cyBkZWZhdWx0IHRpbWVycy4KdGltZXIgewoJIyBUaGVzZSB2YWx1ZSBjYW4gYmUgY2hh
bmdlZCBwZXIgcmVtb3RlIG5vZGUuCgljb3VudGVyCQk1OwkJIyBtYXhpbXVtIHRyeWluZyBjb3Vu
dCB0byBzZW5kLgoJaW50ZXJ2YWwJMjAgc2VjOwkJIyBtYXhpbXVtIGludGVydmFsIHRvIHJlc2Vu
ZC4KCXBlcnNlbmQJCTE7CQkjIHRoZSBudW1iZXIgb2YgcGFja2V0cyBwZXIgc2VuZC4KCgkjIG1h
eGltdW0gdGltZSB0byB3YWl0IGZvciBjb21wbGV0aW5nIGVhY2ggcGhhc2UuCglwaGFzZTEgMzAg
c2VjOwoJcGhhc2UyIDE1IHNlYzsKfQoKcmVtb3RlIGFhYS5iYmIuY2NjLmRkZCBbNTAwXSB7Cgll
eGNoYW5nZV9tb2RlCQltYWluOwoJZG9pCQkJaXBzZWNfZG9pOwoKCW15X2lkZW50aWZpZXIJCWFz
bjFkbjsKCXBlZXJzX2lkZW50aWZpZXIJYXNuMWRuOwoJdmVyaWZ5X2lkZW50aWZpZXIJb247Cglj
ZXJ0aWZpY2F0ZV90eXBlCXg1MDkgImhvc3QxLnJ1LmNydCIgImhvc3QxLnJ1LmtleSI7CgljYV90
eXBlCQkJeDUwOSAiY2EuY3J0IjsKCWRwZF9kZWxheQkJMTA7CgoJbGlmZXRpbWUgdGltZQkJMTIg
aG91cjsgIyBzZWMsbWluLGhvdXIKCXBhc3NpdmUJCQlvZmY7Cglwcm9wb3NhbF9jaGVjawkJc3Ry
aWN0OyAjIG9iZXksIHN0cmljdCwgb3IgY2xhaW0KCW5hdF90cmF2ZXJzYWwJCW9mZjsKCglwcm9w
b3NhbCB7CgkJZW5jcnlwdGlvbl9hbGdvcml0aG0JYWVzIDI1NjsKCQloYXNoX2FsZ29yaXRobQkJ
c2hhMjU2OwoJCWF1dGhlbnRpY2F0aW9uX21ldGhvZAlyc2FzaWc7CgkJbGlmZXRpbWUgdGltZQkJ
MzAgc2VjOwoJCWRoX2dyb3VwCQkxNjsKCX0KfQoKcmVtb3RlIGFhYS5iYmIuY2NjLmRkZCBbNTAw
XSB7CglleGNoYW5nZV9tb2RlCQltYWluOwoJZG9pCQkJaXBzZWNfZG9pOwoKCW15X2lkZW50aWZp
ZXIJCWFzbjFkbjsKCXBlZXJzX2lkZW50aWZpZXIJYXNuMWRuOwoJdmVyaWZ5X2lkZW50aWZpZXIJ
b247CgljZXJ0aWZpY2F0ZV90eXBlCXg1MDkgImhvc3QxLnJ1LmNydCIgImhvc3QxLnJ1LmtleSI7
CgljYV90eXBlCQkJeDUwOSAiY2EuY3J0IjsKCWRwZF9kZWxheQkJMTA7CgoJbGlmZXRpbWUgdGlt
ZQkJMTIgaG91cjsgIyBzZWMsbWluLGhvdXIKCXBhc3NpdmUJCQlvZmY7Cglwcm9wb3NhbF9jaGVj
awkJc3RyaWN0OyAjIG9iZXksIHN0cmljdCwgb3IgY2xhaW0KCW5hdF90cmF2ZXJzYWwJCW9mZjsK
Cglwcm9wb3NhbCB7CgkJZW5jcnlwdGlvbl9hbGdvcml0aG0JYWVzIDI1NjsKCQloYXNoX2FsZ29y
aXRobQkJc2hhMjU2OwoJCWF1dGhlbnRpY2F0aW9uX21ldGhvZAlyc2FzaWc7CgkJbGlmZXRpbWUg
dGltZQkJMzAgc2VjOwoJCWRoX2dyb3VwCQkxNjsKCX0KfQoKcmVtb3RlIGFhYS5iYmIuY2NjLmRk
ZCBbNTAwXSB7CglleGNoYW5nZV9tb2RlCQltYWluOwoJZG9pCQkJaXBzZWNfZG9pOwoKCW15X2lk
ZW50aWZpZXIJCWFzbjFkbjsKCXBlZXJzX2lkZW50aWZpZXIJYXNuMWRuOwoJdmVyaWZ5X2lkZW50
aWZpZXIJb247CgljZXJ0aWZpY2F0ZV90eXBlCXg1MDkgImhvc3QxLnJ1LmNydCIgImhvc3QxLnJ1
LmtleSI7CgljYV90eXBlCQkJeDUwOSAiY2EuY3J0IjsKCWRwZF9kZWxheQkJMTA7CgoJbGlmZXRp
bWUgdGltZQkJMTIgaG91cjsgIyBzZWMsbWluLGhvdXIKCXBhc3NpdmUJCQlvZmY7Cglwcm9wb3Nh
bF9jaGVjawkJc3RyaWN0OyAjIG9iZXksIHN0cmljdCwgb3IgY2xhaW0KCW5hdF90cmF2ZXJzYWwJ
CW9mZjsKCglwcm9wb3NhbCB7CgkJZW5jcnlwdGlvbl9hbGdvcml0aG0JYWVzIDI1NjsKCQloYXNo
X2FsZ29yaXRobQkJc2hhMjU2OwoJCWF1dGhlbnRpY2F0aW9uX21ldGhvZAlyc2FzaWc7CgkJbGlm
ZXRpbWUgdGltZQkJMzAgc2VjOwoJCWRoX2dyb3VwCQkxNjsKCX0KfQoKc2FpbmZvIGFub255bW91
cyB7CglwZnNfZ3JvdXAJCQkxNjsKCWxpZmV0aW1lIHRpbWUJCQkxMiBob3VyOwoJZW5jcnlwdGlv
bl9hbGdvcml0aG0JCWFlcyAyNTY7CglhdXRoZW50aWNhdGlvbl9hbGdvcml0aG0JaG1hY19zaGEy
NTY7Cgljb21wcmVzc2lvbl9hbGdvcml0aG0JCWRlZmxhdGU7Cn0K
--0000000000000ee3ad058851fc07--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALmdT0W6f_X-V6UadxwYpsfbr0m34xANRGN5qWhs-7KMvCyA6A>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact