From owner-freebsd-net@freebsd.org  Wed May  9 01:08:30 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 26271FD055A
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Wed,  9 May 2018 01:08:30 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "vps1.elischer.org",
 Issuer "CA Cert Signing Authority" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id BD15784E77
 for <freebsd-net@freebsd.org>; Wed,  9 May 2018 01:08:29 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from Julian-MBP3.local (124-148-108-197.dyn.iinet.net.au
 [124.148.108.197]) (authenticated bits=0)
 by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id w4918I4B047391
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
 Tue, 8 May 2018 18:08:21 -0700 (PDT)
 (envelope-from julian@freebsd.org)
Subject: Re: multiple if_ipsec
To: "Andrey V. Elsukov" <bu7cher@yandex.ru>, peter.blok@bsd4all.org,
 Victor Gamov <vit@otcnet.ru>
Cc: freebsd-net@freebsd.org
References: <b859ed18-e511-3640-4662-4242a53d999c@otcnet.ru>
 <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru>
 <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru>
 <c2cb415b-bcde-c714-9412-103e674ce673@yandex.ru>
 <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru>
 <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru>
 <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru>
 <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru>
 <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru>
 <C6EF4FCA-CBA0-4068-A582-E3C99D209D0C@bsd4all.org>
 <d4aedb31-245b-b465-8979-2263bdea0ee3@yandex.ru>
From: Julian Elischer <julian@freebsd.org>
Message-ID: <f0bf9447-ff9d-afea-db19-245dcaeb02b6@freebsd.org>
Date: Wed, 9 May 2018 09:08:13 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0)
 Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <d4aedb31-245b-b465-8979-2263bdea0ee3@yandex.ru>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2018 01:08:30 -0000

On 8/5/18 9:51 pm, Andrey V. Elsukov wrote:
> On 08.05.2018 14:03, peter.blok@bsd4all.org wrote:
>> Hi Victor,
>>
>> I’m struggling wit the same issue. My sainfo doesn’t match unless I
>> use anonymous.
>>
>> Hi Andrey,
>>
>> What I don’t understand is why a “catchall” policy is added instead
>> of the policy that matches the inner tunnel.
> This is because the how IPsec works in BSD network stack.
>
> In simple words - outbound traffic is matched by security policy,
> inbound is matched by security association.
>
> When a packet is going to be send from a host, the kernel checks
> security policies for match. If it is matched, a packet goes into IPsec
> processing. Then IPsec code using given security policy does lookup for
> matched security association. And some IPsec transform happens.
>
> When a host receives a packet, it handled by network stack first. And
> if it has corresponding IPsec inner protocol (ESP, AH), it will be
> handled by IPsec code. A packet has embedded SPI, it is used for
> security association lookup. If corresponding SA is found, the IPsec
> code will apply revers IPsec transform to the packet. Then the kernel
> checks, that there is some security policy for that packet.
>
> Now how if_ipsec(4) works. Security policies associated with interface
> have configured requirements for tunnel mode with configured addresses.
> Interfaces are designed for route based VPN, and when a packet is going
> to be send through if_ipsec interface, its "output" routine uses
> security policy associated with interface and with configured "reqid".
>
> If there are no SAs configured with given reqid, the IPsec code will
> send ACQUIRE message to IKE and it should install SAs, that will be used
> for IPsec transforms.
>
> When a host receives a packet, it handled by network stack, then by
> IPsec code and when reverse transform is finished, IPsec code checks, if
> packet was matched by tunnel mode SA it will be checked by if_ipsec
> input routine. If addresses and reqid from SA matched to if_ipsec
> configuration, it will be taken by if_ipsec interface.
>
>
>> What is supposed to happen here? Is the IKE daemon supposed to update
>> the policy once started.
> In my understanding IKE is only supposed to install SAs for if_ipsec.
> It can't change these policies, because they are immutable.
>
> I think for proper support of several if_ipsec interfaces racoon needs
> some patches. But I have not spare time to do this job.
> I recommend to use strongswan, it has active developers that are
> responsive and may give some help at least.
>
> There was the link with example, but it also uses only one interface:
> https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec
>
my answer was to create a jail to act as the endpoint of each vpn 
using VIMAGE and then allow each jail to run its own raccoon.