Date: Wed, 9 May 2018 09:08:13 +0800 From: Julian Elischer <julian@freebsd.org> To: "Andrey V. Elsukov" <bu7cher@yandex.ru>, peter.blok@bsd4all.org, Victor Gamov <vit@otcnet.ru> Cc: freebsd-net@freebsd.org Subject: Re: multiple if_ipsec Message-ID: <f0bf9447-ff9d-afea-db19-245dcaeb02b6@freebsd.org> In-Reply-To: <d4aedb31-245b-b465-8979-2263bdea0ee3@yandex.ru> References: <b859ed18-e511-3640-4662-4242a53d999c@otcnet.ru> <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <c2cb415b-bcde-c714-9412-103e674ce673@yandex.ru> <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru> <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru> <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru> <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru> <C6EF4FCA-CBA0-4068-A582-E3C99D209D0C@bsd4all.org> <d4aedb31-245b-b465-8979-2263bdea0ee3@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/5/18 9:51 pm, Andrey V. Elsukov wrote: > On 08.05.2018 14:03, peter.blok@bsd4all.org wrote: >> Hi Victor, >> >> I’m struggling wit the same issue. My sainfo doesn’t match unless I >> use anonymous. >> >> Hi Andrey, >> >> What I don’t understand is why a “catchall” policy is added instead >> of the policy that matches the inner tunnel. > This is because the how IPsec works in BSD network stack. > > In simple words - outbound traffic is matched by security policy, > inbound is matched by security association. > > When a packet is going to be send from a host, the kernel checks > security policies for match. If it is matched, a packet goes into IPsec > processing. Then IPsec code using given security policy does lookup for > matched security association. And some IPsec transform happens. > > When a host receives a packet, it handled by network stack first. And > if it has corresponding IPsec inner protocol (ESP, AH), it will be > handled by IPsec code. A packet has embedded SPI, it is used for > security association lookup. If corresponding SA is found, the IPsec > code will apply revers IPsec transform to the packet. Then the kernel > checks, that there is some security policy for that packet. > > Now how if_ipsec(4) works. Security policies associated with interface > have configured requirements for tunnel mode with configured addresses. > Interfaces are designed for route based VPN, and when a packet is going > to be send through if_ipsec interface, its "output" routine uses > security policy associated with interface and with configured "reqid". > > If there are no SAs configured with given reqid, the IPsec code will > send ACQUIRE message to IKE and it should install SAs, that will be used > for IPsec transforms. > > When a host receives a packet, it handled by network stack, then by > IPsec code and when reverse transform is finished, IPsec code checks, if > packet was matched by tunnel mode SA it will be checked by if_ipsec > input routine. If addresses and reqid from SA matched to if_ipsec > configuration, it will be taken by if_ipsec interface. > > >> What is supposed to happen here? Is the IKE daemon supposed to update >> the policy once started. > In my understanding IKE is only supposed to install SAs for if_ipsec. > It can't change these policies, because they are immutable. > > I think for proper support of several if_ipsec interfaces racoon needs > some patches. But I have not spare time to do this job. > I recommend to use strongswan, it has active developers that are > responsive and may give some help at least. > > There was the link with example, but it also uses only one interface: > https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec > my answer was to create a jail to act as the endpoint of each vpn using VIMAGE and then allow each jail to run its own raccoon.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f0bf9447-ff9d-afea-db19-245dcaeb02b6>