Date: Sun, 5 May 2019 13:48:46 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: KOT MATPOCKuH <matpockuh@gmail.com>, stable@freebsd.org Subject: Re: route based ipsec Message-ID: <a7d8c37c-8712-ded6-4c30-d473bf20f877@yandex.ru> In-Reply-To: <CALmdT0Wdb%2B=LHvTaO9MU=MnQvQJEzKT9CXAf2kVPY=AAc=kxVQ@mail.gmail.com> References: <CALmdT0Wdb%2B=LHvTaO9MU=MnQvQJEzKT9CXAf2kVPY=AAc=kxVQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Lwl1cHaXKpU5FHW4k8gJwXgPIehbaWzcr Content-Type: multipart/mixed; boundary="u5advhn0aNOC1BJgX1eDdbOEsDkpaD9AX"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: KOT MATPOCKuH <matpockuh@gmail.com>, stable@freebsd.org Message-ID: <a7d8c37c-8712-ded6-4c30-d473bf20f877@yandex.ru> Subject: Re: route based ipsec References: <CALmdT0Wdb+=LHvTaO9MU=MnQvQJEzKT9CXAf2kVPY=AAc=kxVQ@mail.gmail.com> In-Reply-To: <CALmdT0Wdb+=LHvTaO9MU=MnQvQJEzKT9CXAf2kVPY=AAc=kxVQ@mail.gmail.com> --u5advhn0aNOC1BJgX1eDdbOEsDkpaD9AX Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 02.05.2019 23:16, KOT MATPOCKuH wrote: > I'm trying to make a full mesh vpn using route based ipsec between four= > hosts under FreeBSD 12. > I'm used racoon from security/ipsec-tools (as it recommended in > https://www.freebsd.org/doc/handbook/ipsec.html) > Result looks work, but I got some problems: > 0.The ipsec-tools port currently does not have a maintainer (C) portmas= ter > ... Does this solution really supported? Or I should switch to use anot= her > IKE daemon? I think it is unmaintained in upstream too. > 1. racoon was 3 times crashed with core dump (2 times on one host, 1 ti= mes > on another host): > (gdb) bt > #0 0x000000000024417f in isakmp_info_recv () > #1 0x00000000002345f4 in isakmp_main () > #2 0x00000000002307d0 in isakmp_handler () > #3 0x000000000022f10d in session () > #4 0x000000000022e62a in main () >=20 > 2. racoon generated 2 SA for each traffic direction (from hostA to host= B). > IMHO one SA for one each traffic direction should be enough. Probably you have something wrong in your configuration. Note, that if_ipsec(4) interfaces has own security policies and you need to check that racoon doesn't create additional policies. Also, if_ipsec(4) uses "reqid" parameter to distinguish IPsec SAs between interfaces. I made a patch to add special parameter for racoon, so it is possible to use several if_ipsec(4) interfaces. I think it should be in port. https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html Also you can use strongswan, we use it for some time and have no problems= =2E > 3. ping and TCP taffic works over ipsec tunnels, but, for example, =2E.. > I think it's may be result of two SA's for each direction, and some tra= ffic > can be passed to kernel using second SA, but can't be associated with > proper ipsecX interface. Yes. Each SA has its SPI, that is used to encrypt/decrypt packets. if_ipsec(4) interface uses security policies with specific reqid, IKEd should install SAs with the same reqid, then packets that are going trough if_ipsec(4) interface can be correctly encrypted and decrypted. --=20 WBR, Andrey V. Elsukov --u5advhn0aNOC1BJgX1eDdbOEsDkpaD9AX-- --Lwl1cHaXKpU5FHW4k8gJwXgPIehbaWzcr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlzOv5QACgkQAcXqBBDI oXq3SAf/TarQ4eZ6F3deSdjE/Q5CELThB8AwaTPITLQdm/zcV3O8QhT1ek+74N3D tuvxszVFzaEwh8RrwYtdk/jK9wjE72N0xY9r8qs6r+PCn7/kNz9wHR0RZvvvZaj1 2mqD/dZ60Qz53sQn/n6uQOuzwDj/w92G+TOuWDGnV9KNzPtpt4YtFVpN12BGI6Z9 wQy9go+IefjF5Wi4ByV2n/gdB7+RRy7NKutA3A8e4Dj8rZo7kuOLtF3TCCy0LhAq 4zcrcMBDA8cYA+gEiYEXKPLfSTloZfW/Lzv5cqwSX9GMaUXM00si+50RnKqO4XVv SBtqvCT9z3Jdo8B54kgsDiAqKIcxYA== =+c8i -----END PGP SIGNATURE----- --Lwl1cHaXKpU5FHW4k8gJwXgPIehbaWzcr--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a7d8c37c-8712-ded6-4c30-d473bf20f877>