From owner-freebsd-net@freebsd.org Wed May 16 18:15:11 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2CEE0EA897B for ; Wed, 16 May 2018 18:15:11 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from mail.otcnet.ru (mail.otcnet.ru [194.190.78.3]) by mx1.freebsd.org (Postfix) with ESMTP id 8B89574B95 for ; Wed, 16 May 2018 18:15:09 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from [192.168.2.70] (unknown [195.144.250.6]) by mail.otcnet.ru (Postfix) with ESMTPSA id A671B596607 for ; Wed, 16 May 2018 21:08:37 +0300 (MSK) Subject: Re: multiple if_ipsec To: freebsd-net@freebsd.org References: <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru> <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru> <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru> <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru> <15DBFD1E-BC64-4A10-9CE1-E9912544B17C@bsd4all.org> From: Victor Gamov Organization: OTCnet Message-ID: Date: Wed, 16 May 2018 21:08:35 +0300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <15DBFD1E-BC64-4A10-9CE1-E9912544B17C@bsd4all.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2018 18:15:11 -0000 On 09/05/2018 10:06, peter.blok@bsd4all.org wrote: > Andrey, > > I was planning to move towards Strongswan anyway. The 1st step (with 1 > interface worked great) > > Julian, > > The idea of having a jail as VPN end-point is going to help me > transition step by step and possibly have both racoon and strongswan active. > > Thx, > > Peter > >> On 9 May 2018, at 03:08, Julian Elischer > > wrote: >> >> On 8/5/18 9:51 pm, Andrey V. Elsukov wrote: >>> On 08.05.2018 14:03, peter.blok@bsd4all.org >>> wrote: >>>> Hi Victor, >>>> >>>> I’m struggling wit the same issue. My sainfo doesn’t match unless I >>>> use anonymous. >>>> >>>> Hi Andrey, >>>> >>>> What I don’t understand is why a “catchall” policy is added instead >>>> of the policy that matches the inner tunnel. >>> This is because the how IPsec works in BSD network stack. >>> >>> In simple words - outbound traffic is matched by security policy, >>> inbound is matched by security association. >>> >>> When a packet is going to be send from a host, the kernel checks >>> security policies for match. If it is matched, a packet goes into IPsec >>> processing. Then IPsec code using given security policy does lookup for >>> matched security association. And some IPsec transform happens. >>> >>> When a host receives a packet, it handled by network stack first. And >>> if it has corresponding IPsec inner protocol (ESP, AH), it will be >>> handled by IPsec code. A packet has embedded SPI, it is used for >>> security association lookup. If corresponding SA is found, the IPsec >>> code will apply revers IPsec transform to the packet. Then the kernel >>> checks, that there is some security policy for that packet. >>> >>> Now how if_ipsec(4) works. Security policies associated with interface >>> have configured requirements for tunnel mode with configured addresses. >>> Interfaces are designed for route based VPN, and when a packet is going >>> to be send through if_ipsec interface, its "output" routine uses >>> security policy associated with interface and with configured "reqid". >>> >>> If there are no SAs configured with given reqid, the IPsec code will >>> send ACQUIRE message to IKE and it should install SAs, that will be used >>> for IPsec transforms. >>> >>> When a host receives a packet, it handled by network stack, then by >>> IPsec code and when reverse transform is finished, IPsec code checks, if >>> packet was matched by tunnel mode SA it will be checked by if_ipsec >>> input routine. If addresses and reqid from SA matched to if_ipsec >>> configuration, it will be taken by if_ipsec interface. >>> >>> >>>> What is supposed to happen here? Is the IKE daemon supposed to update >>>> the policy once started. >>> In my understanding IKE is only supposed to install SAs for if_ipsec. >>> It can't change these policies, because they are immutable. >>> >>> I think for proper support of several if_ipsec interfaces racoon needs >>> some patches. But I have not spare time to do this job. >>> I recommend to use strongswan, it has active developers that are >>> responsive and may give some help at least. >>> >>> There was the link with example, but it also uses only one interface: >>> https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec >>> >> my answer was to create a jail to act as the endpoint of each vpn >> using VIMAGE and then allow each jail to run its own raccoon. Hi All I have FreeBSD-11.1-STABLE (r327786) + strongswan-5.6.2_1 Then IKEv1 configured and two ipsec interfaces connected to Cisco-routers works fine at first sight You need both leftsubnet=0.0.0.0/0 and rightsubnet=0.0.0.0/0 configured at strongswan to protocols like OSPF works properly. I'll try to do more tests later. Thanks Andrey! -- CU, Victor Gamov