From owner-freebsd-stable@freebsd.org  Tue May  7 20:23:09 2019
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id F2D901592C49
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Tue,  7 May 2019 20:23:08 +0000 (UTC)
 (envelope-from matpockuh@gmail.com)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 66857730B4
 for <freebsd-stable@freebsd.org>; Tue,  7 May 2019 20:23:08 +0000 (UTC)
 (envelope-from matpockuh@gmail.com)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 26D301592C48; Tue,  7 May 2019 20:23:08 +0000 (UTC)
Delivered-To: stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0442E1592C47
 for <stable@mailman.ysv.freebsd.org>; Tue,  7 May 2019 20:23:08 +0000 (UTC)
 (envelope-from matpockuh@gmail.com)
Received: from mail-ot1-x342.google.com (mail-ot1-x342.google.com
 [IPv6:2607:f8b0:4864:20::342])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id CB804730B2
 for <stable@freebsd.org>; Tue,  7 May 2019 20:23:06 +0000 (UTC)
 (envelope-from matpockuh@gmail.com)
Received: by mail-ot1-x342.google.com with SMTP id v17so8163245otp.13
 for <stable@freebsd.org>; Tue, 07 May 2019 13:23:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=gzpNFxkg1UswRBfSzu8QSr+IsyxE1eqIrGaEgC8LcjU=;
 b=s/U+puE4rB33KI/iBAKyo2Ag/syoObysMZ1g3QBMdAK+9eeDQaIl2xkGol2bHzVYgB
 c2c58YMCqjZa4qSCL42XwMGI8OcwsOo9hwhK2sTJ8hsYSvjeRwtzULQdwA+K9Hzd3JXL
 YVKhyGewWDkPINfD5G++tUTm8/ofPmCh/2u6qr4w3beFtCL979+bCLWDIkz49C1rxwNZ
 g2ka8OsMZxeybLFPzlx6viIlRRkTW+aViTsTUZQ83KU1S8zpHIhQDs+DJ4lku1oNk22X
 VU8E2lw2dGuIk0XNMJazsDua4I9rT0MAjT5Fe53qRF3Z5mzaHN8OIB4S6UParf+VIORb
 9ong==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=gzpNFxkg1UswRBfSzu8QSr+IsyxE1eqIrGaEgC8LcjU=;
 b=GAOIGVqIxFvOmwPqM0yvxwPZ6vK+TlKg8dWg+qLYO4FJgM6Eov4t/ui9OkhzVIEmCC
 tMxgZWW+svRvrLBdJ7XEt97EzSMuyrPMFlz6h1q7wBe9XKdw4bRbn2TqjVkrcedgHgq5
 87IsMH15sG/F7ZZbJL2KlyLq2xOhpFB03fUbhMbUhRscTIbkVJoBKKhHTFTQcYgsigvF
 ygMPd7CMp2tkzlP4Wa2RfFtcI50cZXYQEPAA4akFmsVSlAUWCYNtThIRhiDj79OQE8yW
 8kZwdL7/cW8xu2LjjKoIvBTv4JbA2G/3rdFN5dJOA979EA7ecLIiJdV5E5vcQh8+JCTB
 HwDQ==
X-Gm-Message-State: APjAAAXGTLLR4ndcGEOMbSVxbNi3UR39ycyAEHkcWYvVjaIW6kSdckic
 ciTfYq0i71CyRnLUxqEny0XTKo8zT+aVIUrjbbc05YSyW0M=
X-Google-Smtp-Source: APXvYqxIdTXeAfHvHut8Z3nqCAd4FaNYQ6QJXPu0FlZ1fRUxctqzqrYRfzfhxPzNQ6oQ3EkrRUBjUXg9exZeAKgsLFk=
X-Received: by 2002:a9d:7f99:: with SMTP id t25mr23358197otp.303.1557260586067; 
 Tue, 07 May 2019 13:23:06 -0700 (PDT)
MIME-Version: 1.0
References: <CALmdT0Wdb+=LHvTaO9MU=MnQvQJEzKT9CXAf2kVPY=AAc=kxVQ@mail.gmail.com>
 <a7d8c37c-8712-ded6-4c30-d473bf20f877@yandex.ru>
In-Reply-To: <a7d8c37c-8712-ded6-4c30-d473bf20f877@yandex.ru>
From: KOT MATPOCKuH <matpockuh@gmail.com>
Date: Tue, 7 May 2019 23:23:22 +0300
Message-ID: <CALmdT0W6f_X-V6UadxwYpsfbr0m34xANRGN5qWhs-7KMvCyA6A@mail.gmail.com>
Subject: Re: route based ipsec
To: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Cc: stable@freebsd.org
Content-Type: multipart/mixed; boundary="0000000000000ee3ad058851fc07"
X-Rspamd-Queue-Id: CB804730B2
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=s/U+puE4;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of matpockuh@gmail.com designates
 2607:f8b0:4864:20::342 as permitted sender) smtp.mailfrom=matpockuh@gmail.com
X-Spamd-Result: default: False [-4.54 / 15.00]; TO_DN_SOME(0.00)[];
 FREEMAIL_FROM(0.00)[gmail.com];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
 HAS_ATTACHMENT(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+];
 RCPT_COUNT_TWO(0.00)[2];
 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com];
 FREEMAIL_TO(0.00)[yandex.ru]; FROM_EQ_ENVFROM(0.00)[];
 RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0];
 ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[];
 NEURAL_HAM_SHORT(-0.64)[-0.636,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.10)[multipart/mixed,multipart/alternative,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[stable@freebsd.org];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 RCVD_IN_DNSWL_NONE(0.00)[2.4.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
 : 127.0.5.0]; 
 IP_SCORE(-0.89)[ip: (1.07), ipnet: 2607:f8b0::/32(-3.22), asn: 15169(-2.26),
 country: US(-0.06)]; RCVD_COUNT_TWO(0.00)[2]
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2019 20:23:09 -0000

--0000000000000ee3ad058851fc07
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello!

=D0=B2=D1=81, 5 =D0=BC=D0=B0=D1=8F 2019 =D0=B3. =D0=B2 13:50, Andrey V. Els=
ukov <bu7cher@yandex.ru>:


> > 0.The ipsec-tools port currently does not have a maintainer (C)
> portmaster
> > ... Does this solution really supported? Or I should switch to use
> another
> > IKE daemon?
> I think it is unmaintained in upstream too.
>
But why it still recommended in FreeBSD handbook?

> 1. racoon was 3 times crashed with core dump (2 times on one host, 1 time=
s
> > on another host):
> > (gdb) bt
> > #0  0x000000000024417f in isakmp_info_recv ()
> > #1  0x00000000002345f4 in isakmp_main ()
> > #2  0x00000000002307d0 in isakmp_handler ()
> > #3  0x000000000022f10d in session ()
> > #4  0x000000000022e62a in main ()
> >
> > 2. racoon generated 2 SA for each traffic direction (from hostA to
> hostB).
> > IMHO one SA for one each traffic direction should be enough.
>
> Probably you have something wrong in your configuration.
>
I'm misunderstand what in my configuration can result core dumps a running
daemon...
I'm attached a sample racoon.conf. Can You check for possible problems?
Also on one host I got a crash in another function:
(gdb) bt
#0  0x000000000024717f in privsep_init ()
#1  0x00000000002375f4 in inscontacted ()
#2  0x00000000002337d0 in isakmp_plist_set_all ()
#3  0x000000000023210d in isakmp_ph2expire ()
#4  0x000000000023162a in isakmp_ph1delete ()
#5  0x000000000023110b in isakmp_ph2resend ()
#6  0x00000008002aa000 in ?? ()
#7  0x0000000000000000 in ?? ()



Note, that if_ipsec(4) interfaces has own security policies and you need
> to check that racoon doesn't create additional policies. Also,
> if_ipsec(4) uses "reqid" parameter to distinguish IPsec SAs between
> interfaces. I made a patch to add special parameter for racoon, so it is
> possible to use several if_ipsec(4) interfaces. I think it should be in
> port.
> https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html
>
This patch already applied to the ports tree.
But it's not enough in my case :(



> Also you can use strongswan, we use it for some time and have no problems=
.
>
Okey. Thanks You! I will try to use strongswan.

I'm tried to replace rsasig authentication with psk, but without luck. I'm
against got two ipsec sa for each direction....

--=20
MATPOCKuH

--0000000000000ee3ad058851fc07
Content-Type: application/octet-stream; name="racoon.conf"
Content-Disposition: attachment; filename="racoon.conf"
Content-Transfer-Encoding: base64
Content-ID: <f_jve7650u0>
X-Attachment-Id: f_jve7650u0

cGF0aCBjZXJ0aWZpY2F0ZSAiL2V0Yy9zc2wvbmV3IjsKCiMgImxvZyIgc3BlY2lmaWVzIGxvZ2dp
bmcgbGV2ZWwuIEl0IGlzIGZvbGxvd2VkIGJ5IGVpdGhlciAibm90aWZ5IiwgImRlYnVnIgojIG9y
ICJkZWJ1ZzIiLgojbG9nIGRlYnVnOwoKIyAicGFkZGluZyIgZGVmaW5lcyBzb21lIHBhZGRpbmcg
cGFyYW1ldGVycy4gWW91IHNob3VsZCBub3QgdG91Y2ggdGhlc2UuCnBhZGRpbmcgewoJbWF4aW11
bV9sZW5ndGgJMjA7CSMgbWF4aW11bSBwYWRkaW5nIGxlbmd0aC4KCXJhbmRvbWl6ZQlvZmY7CSMg
ZW5hYmxlIHJhbmRvbWl6ZSBsZW5ndGguCglzdHJpY3RfY2hlY2sJb2ZmOwkjIGVuYWJsZSBzdHJp
Y3QgY2hlY2suCglleGNsdXNpdmVfdGFpbAlvZmY7CSMgZXh0cmFjdCBsYXN0IG9uZSBvY3RldC4K
fQoKbGlzdGVuCnsKCWlzYWttcAkJYWFhLmJiYi5jY2MuZGRkIFs1MDBdOwp9CgojIFNwZWNpZnkg
dmFyaW91cyBkZWZhdWx0IHRpbWVycy4KdGltZXIgewoJIyBUaGVzZSB2YWx1ZSBjYW4gYmUgY2hh
bmdlZCBwZXIgcmVtb3RlIG5vZGUuCgljb3VudGVyCQk1OwkJIyBtYXhpbXVtIHRyeWluZyBjb3Vu
dCB0byBzZW5kLgoJaW50ZXJ2YWwJMjAgc2VjOwkJIyBtYXhpbXVtIGludGVydmFsIHRvIHJlc2Vu
ZC4KCXBlcnNlbmQJCTE7CQkjIHRoZSBudW1iZXIgb2YgcGFja2V0cyBwZXIgc2VuZC4KCgkjIG1h
eGltdW0gdGltZSB0byB3YWl0IGZvciBjb21wbGV0aW5nIGVhY2ggcGhhc2UuCglwaGFzZTEgMzAg
c2VjOwoJcGhhc2UyIDE1IHNlYzsKfQoKcmVtb3RlIGFhYS5iYmIuY2NjLmRkZCBbNTAwXSB7Cgll
eGNoYW5nZV9tb2RlCQltYWluOwoJZG9pCQkJaXBzZWNfZG9pOwoKCW15X2lkZW50aWZpZXIJCWFz
bjFkbjsKCXBlZXJzX2lkZW50aWZpZXIJYXNuMWRuOwoJdmVyaWZ5X2lkZW50aWZpZXIJb247Cglj
ZXJ0aWZpY2F0ZV90eXBlCXg1MDkgImhvc3QxLnJ1LmNydCIgImhvc3QxLnJ1LmtleSI7CgljYV90
eXBlCQkJeDUwOSAiY2EuY3J0IjsKCWRwZF9kZWxheQkJMTA7CgoJbGlmZXRpbWUgdGltZQkJMTIg
aG91cjsgIyBzZWMsbWluLGhvdXIKCXBhc3NpdmUJCQlvZmY7Cglwcm9wb3NhbF9jaGVjawkJc3Ry
aWN0OyAjIG9iZXksIHN0cmljdCwgb3IgY2xhaW0KCW5hdF90cmF2ZXJzYWwJCW9mZjsKCglwcm9w
b3NhbCB7CgkJZW5jcnlwdGlvbl9hbGdvcml0aG0JYWVzIDI1NjsKCQloYXNoX2FsZ29yaXRobQkJ
c2hhMjU2OwoJCWF1dGhlbnRpY2F0aW9uX21ldGhvZAlyc2FzaWc7CgkJbGlmZXRpbWUgdGltZQkJ
MzAgc2VjOwoJCWRoX2dyb3VwCQkxNjsKCX0KfQoKcmVtb3RlIGFhYS5iYmIuY2NjLmRkZCBbNTAw
XSB7CglleGNoYW5nZV9tb2RlCQltYWluOwoJZG9pCQkJaXBzZWNfZG9pOwoKCW15X2lkZW50aWZp
ZXIJCWFzbjFkbjsKCXBlZXJzX2lkZW50aWZpZXIJYXNuMWRuOwoJdmVyaWZ5X2lkZW50aWZpZXIJ
b247CgljZXJ0aWZpY2F0ZV90eXBlCXg1MDkgImhvc3QxLnJ1LmNydCIgImhvc3QxLnJ1LmtleSI7
CgljYV90eXBlCQkJeDUwOSAiY2EuY3J0IjsKCWRwZF9kZWxheQkJMTA7CgoJbGlmZXRpbWUgdGlt
ZQkJMTIgaG91cjsgIyBzZWMsbWluLGhvdXIKCXBhc3NpdmUJCQlvZmY7Cglwcm9wb3NhbF9jaGVj
awkJc3RyaWN0OyAjIG9iZXksIHN0cmljdCwgb3IgY2xhaW0KCW5hdF90cmF2ZXJzYWwJCW9mZjsK
Cglwcm9wb3NhbCB7CgkJZW5jcnlwdGlvbl9hbGdvcml0aG0JYWVzIDI1NjsKCQloYXNoX2FsZ29y
aXRobQkJc2hhMjU2OwoJCWF1dGhlbnRpY2F0aW9uX21ldGhvZAlyc2FzaWc7CgkJbGlmZXRpbWUg
dGltZQkJMzAgc2VjOwoJCWRoX2dyb3VwCQkxNjsKCX0KfQoKcmVtb3RlIGFhYS5iYmIuY2NjLmRk
ZCBbNTAwXSB7CglleGNoYW5nZV9tb2RlCQltYWluOwoJZG9pCQkJaXBzZWNfZG9pOwoKCW15X2lk
ZW50aWZpZXIJCWFzbjFkbjsKCXBlZXJzX2lkZW50aWZpZXIJYXNuMWRuOwoJdmVyaWZ5X2lkZW50
aWZpZXIJb247CgljZXJ0aWZpY2F0ZV90eXBlCXg1MDkgImhvc3QxLnJ1LmNydCIgImhvc3QxLnJ1
LmtleSI7CgljYV90eXBlCQkJeDUwOSAiY2EuY3J0IjsKCWRwZF9kZWxheQkJMTA7CgoJbGlmZXRp
bWUgdGltZQkJMTIgaG91cjsgIyBzZWMsbWluLGhvdXIKCXBhc3NpdmUJCQlvZmY7Cglwcm9wb3Nh
bF9jaGVjawkJc3RyaWN0OyAjIG9iZXksIHN0cmljdCwgb3IgY2xhaW0KCW5hdF90cmF2ZXJzYWwJ
CW9mZjsKCglwcm9wb3NhbCB7CgkJZW5jcnlwdGlvbl9hbGdvcml0aG0JYWVzIDI1NjsKCQloYXNo
X2FsZ29yaXRobQkJc2hhMjU2OwoJCWF1dGhlbnRpY2F0aW9uX21ldGhvZAlyc2FzaWc7CgkJbGlm
ZXRpbWUgdGltZQkJMzAgc2VjOwoJCWRoX2dyb3VwCQkxNjsKCX0KfQoKc2FpbmZvIGFub255bW91
cyB7CglwZnNfZ3JvdXAJCQkxNjsKCWxpZmV0aW1lIHRpbWUJCQkxMiBob3VyOwoJZW5jcnlwdGlv
bl9hbGdvcml0aG0JCWFlcyAyNTY7CglhdXRoZW50aWNhdGlvbl9hbGdvcml0aG0JaG1hY19zaGEy
NTY7Cgljb21wcmVzc2lvbl9hbGdvcml0aG0JCWRlZmxhdGU7Cn0K
--0000000000000ee3ad058851fc07--