From owner-freebsd-stable@freebsd.org  Sun May  5 10:50:11 2019
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B54551585E95
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Sun,  5 May 2019 10:50:11 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 23C098EAFA
 for <freebsd-stable@freebsd.org>; Sun,  5 May 2019 10:50:11 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: by mailman.ysv.freebsd.org (Postfix)
 id DB9541585E94; Sun,  5 May 2019 10:50:10 +0000 (UTC)
Delivered-To: stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B76EA1585E93
 for <stable@mailman.ysv.freebsd.org>; Sun,  5 May 2019 10:50:10 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from forward100o.mail.yandex.net (forward100o.mail.yandex.net
 [IPv6:2a02:6b8:0:1a2d::600])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7C2A38EAF9
 for <stable@freebsd.org>; Sun,  5 May 2019 10:50:08 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from mxback14o.mail.yandex.net (mxback14o.mail.yandex.net
 [IPv6:2a02:6b8:0:1a2d::65])
 by forward100o.mail.yandex.net (Yandex) with ESMTP id BA3424AC04D0;
 Sun,  5 May 2019 13:50:03 +0300 (MSK)
Received: from smtp4p.mail.yandex.net (smtp4p.mail.yandex.net
 [2a02:6b8:0:1402::15:6])
 by mxback14o.mail.yandex.net (nwsmtp/Yandex) with ESMTP id QSbOMZL6pS-o3Sm6eRO;
 Sun, 05 May 2019 13:50:03 +0300
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1557053403; bh=4KnnDbmXgRGbhTQphoD6FDEyznoqTx1/MsbYVHc7vrY=;
 h=In-Reply-To:From:Date:References:To:Subject:Message-ID;
 b=sAdhO6+bZlhfSbL5SiHCMBD9dYpOC9XNeyuRrek3djICji2v3zxkLGMzggI1ODp/2
 qOFmBqaB0J44/tdXbQ/bB1DeTema3Lt/ch4llbkhgZ6RBrXojMRZ4x8byYaZSspqN8
 m8gENX4v4574o38O8L4n3DR7FVUd604so7wvuGqI=
Received: by smtp4p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 cw06dWfWYU-o3MWU8n0; Sun, 05 May 2019 13:50:03 +0300
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
 (Client certificate not present)
Subject: Re: route based ipsec
To: KOT MATPOCKuH <matpockuh@gmail.com>, stable@freebsd.org
References: <CALmdT0Wdb+=LHvTaO9MU=MnQvQJEzKT9CXAf2kVPY=AAc=kxVQ@mail.gmail.com>
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A
Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata=
 mQENBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5
 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF
 ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B
 bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N
 CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB
 AAG0JUFuZHJleSBWLiBFbHN1a292IDxidTdjaGVyQHlhbmRleC5ydT6JATgEEwECACIFAkwB
 F1kCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEAHF6gQQyKF6qmYIAI6ekfm1VA4T
 vqankI1ISE6ku4jV7UlpIQlEbE7/8n3Zd6teJ+pGOQhN5qk8QE7utdPdbktAzi+x7LIJVzUw
 4TywZLXGrkP7VKYkfg6oyCGyzITghefQeJtr2TN4hYCkzPWpylkue8MtmqfZv/6royqwTbN+
 +E09FQNvTgRUYJYTeQ1qOsxNRycwvw3dr2rOfuxShbzaHBB1pBIjGrMg8fC5pd65ACH5zuFV
 A0CoTNGMDrEZSfBkTW604UUHFFXeCoC3dwDZRKOWJ3GmMXns65Ai5YkA63BSHEE1Qle3VBhd
 cG1w0CB5FBV3pB27UVnf0jEbysrDqW4qN7XMRFSWNAy5AQ0ETAEXWQEIAJ2p6l9LBoqdH/0J
 PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+
 LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4
 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU
 X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK
 HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAYkBHwQYAQIACQUCTAEXWQIbDAAK
 CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw
 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ
 WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz
 BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9
 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i
Message-ID: <a7d8c37c-8712-ded6-4c30-d473bf20f877@yandex.ru>
Date: Sun, 5 May 2019 13:48:46 +0300
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101
 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CALmdT0Wdb+=LHvTaO9MU=MnQvQJEzKT9CXAf2kVPY=AAc=kxVQ@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="Lwl1cHaXKpU5FHW4k8gJwXgPIehbaWzcr"
X-Rspamd-Queue-Id: 7C2A38EAF9
X-Spamd-Bar: -------
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=yandex.ru header.s=mail header.b=sAdhO6+b;
 dmarc=pass (policy=none) header.from=yandex.ru;
 spf=pass (mx1.freebsd.org: domain of bu7cher@yandex.ru designates
 2a02:6b8:0:1a2d::600 as permitted sender) smtp.mailfrom=bu7cher@yandex.ru
X-Spamd-Result: default: False [-7.92 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2a02:6b8:0:1a2d::/64];
 FREEMAIL_FROM(0.00)[yandex.ru]; HAS_ATTACHMENT(0.00)[];
 RCVD_COUNT_THREE(0.00)[4];
 MX_GOOD(-0.01)[cached: mx.yandex.ru];
 DKIM_TRACE(0.00)[yandex.ru:+]; RCPT_COUNT_TWO(0.00)[2];
 NEURAL_HAM_SHORT(-0.98)[-0.979,0];
 DMARC_POLICY_ALLOW(-0.50)[yandex.ru,none]; SIGNED_PGP(-2.00)[];
 FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:+]; RCVD_TLS_LAST(0.00)[];
 RCVD_IN_DNSWL_LOW(-0.10)[0.0.6.0.0.0.0.0.0.0.0.0.0.0.0.0.d.2.a.1.0.0.0.0.8.b.6.0.2.0.a.2.list.dnswl.org
 : 127.0.5.1]; 
 ASN(0.00)[asn:13238, ipnet:2a02:6b8::/32, country:RU];
 MID_RHS_MATCH_FROM(0.00)[];
 DWL_DNSWL_NONE(0.00)[yandex.ru.dwl.dnswl.org : 127.0.5.0];
 ARC_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[yandex.ru];
 R_DKIM_ALLOW(-0.20)[yandex.ru:s=mail];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain];
 IP_SCORE(-1.73)[ipnet: 2a02:6b8::/32(-4.81), asn: 13238(-3.84), country:
 RU(0.01)]; TO_MATCH_ENVRCPT_SOME(0.00)[]
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 05 May 2019 10:50:11 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--Lwl1cHaXKpU5FHW4k8gJwXgPIehbaWzcr
Content-Type: multipart/mixed; boundary="u5advhn0aNOC1BJgX1eDdbOEsDkpaD9AX";
 protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: KOT MATPOCKuH <matpockuh@gmail.com>, stable@freebsd.org
Message-ID: <a7d8c37c-8712-ded6-4c30-d473bf20f877@yandex.ru>
Subject: Re: route based ipsec
References: <CALmdT0Wdb+=LHvTaO9MU=MnQvQJEzKT9CXAf2kVPY=AAc=kxVQ@mail.gmail.com>
In-Reply-To: <CALmdT0Wdb+=LHvTaO9MU=MnQvQJEzKT9CXAf2kVPY=AAc=kxVQ@mail.gmail.com>

--u5advhn0aNOC1BJgX1eDdbOEsDkpaD9AX
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 02.05.2019 23:16, KOT MATPOCKuH wrote:
> I'm trying to make a full mesh vpn using route based ipsec between four=

> hosts under FreeBSD 12.
> I'm used racoon from security/ipsec-tools (as it recommended in
> https://www.freebsd.org/doc/handbook/ipsec.html)
> Result looks work, but I got some problems:
> 0.The ipsec-tools port currently does not have a maintainer (C) portmas=
ter
> ... Does this solution really supported? Or I should switch to use anot=
her
> IKE daemon?

I think it is unmaintained in upstream too.

> 1. racoon was 3 times crashed with core dump (2 times on one host, 1 ti=
mes
> on another host):
> (gdb) bt
> #0  0x000000000024417f in isakmp_info_recv ()
> #1  0x00000000002345f4 in isakmp_main ()
> #2  0x00000000002307d0 in isakmp_handler ()
> #3  0x000000000022f10d in session ()
> #4  0x000000000022e62a in main ()
>=20
> 2. racoon generated 2 SA for each traffic direction (from hostA to host=
B).
> IMHO one SA for one each traffic direction should be enough.

Probably you have something wrong in your configuration.
Note, that if_ipsec(4) interfaces has own security policies and you need
to check that racoon doesn't create additional policies. Also,
if_ipsec(4) uses "reqid" parameter to distinguish IPsec SAs between
interfaces. I made a patch to add special parameter for racoon, so it is
possible to use several if_ipsec(4) interfaces. I think it should be in
port.

https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html

Also you can use strongswan, we use it for some time and have no problems=
=2E

> 3. ping and TCP taffic works over ipsec tunnels, but, for example,
=2E..
> I think it's may be result of two SA's for each direction, and some tra=
ffic
> can be passed to kernel using second SA, but can't be associated with
> proper ipsecX interface.

Yes. Each SA has its SPI, that is used to encrypt/decrypt packets.
if_ipsec(4) interface uses security policies with specific reqid, IKEd
should install SAs with the same reqid, then packets that are going
trough if_ipsec(4) interface can be correctly encrypted and decrypted.

--=20
WBR, Andrey V. Elsukov


--u5advhn0aNOC1BJgX1eDdbOEsDkpaD9AX--

--Lwl1cHaXKpU5FHW4k8gJwXgPIehbaWzcr
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlzOv5QACgkQAcXqBBDI
oXq3SAf/TarQ4eZ6F3deSdjE/Q5CELThB8AwaTPITLQdm/zcV3O8QhT1ek+74N3D
tuvxszVFzaEwh8RrwYtdk/jK9wjE72N0xY9r8qs6r+PCn7/kNz9wHR0RZvvvZaj1
2mqD/dZ60Qz53sQn/n6uQOuzwDj/w92G+TOuWDGnV9KNzPtpt4YtFVpN12BGI6Z9
wQy9go+IefjF5Wi4ByV2n/gdB7+RRy7NKutA3A8e4Dj8rZo7kuOLtF3TCCy0LhAq
4zcrcMBDA8cYA+gEiYEXKPLfSTloZfW/Lzv5cqwSX9GMaUXM00si+50RnKqO4XVv
SBtqvCT9z3Jdo8B54kgsDiAqKIcxYA==
=+c8i
-----END PGP SIGNATURE-----

--Lwl1cHaXKpU5FHW4k8gJwXgPIehbaWzcr--