From owner-freebsd-net@freebsd.org Wed May 9 07:21:51 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C1514FAD19E for ; Wed, 9 May 2018 07:21:50 +0000 (UTC) (envelope-from peter.blok@bsd4all.org) Received: from smtpq2.tb.mail.iss.as9143.net (smtpq2.tb.mail.iss.as9143.net [212.54.42.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4C118712C6; Wed, 9 May 2018 07:21:49 +0000 (UTC) (envelope-from peter.blok@bsd4all.org) Received: from [212.54.42.134] (helo=smtp10.tb.mail.iss.as9143.net) by smtpq2.tb.mail.iss.as9143.net with esmtp (Exim 4.86_2) (envelope-from ) id 1fGJAu-0005AX-SD; Wed, 09 May 2018 09:06:08 +0200 Received: from 5ed231fb.cm-7-3a.dynamic.ziggo.nl ([94.210.49.251] helo=wan0.bsd4all.org) by smtp10.tb.mail.iss.as9143.net with esmtp (Exim 4.86_2) (envelope-from ) id 1fGJAu-0005Lq-Pq; Wed, 09 May 2018 09:06:08 +0200 Received: from newnas (localhost [127.0.0.1]) by wan0.bsd4all.org (Postfix) with ESMTP id 854BC39EA; Wed, 9 May 2018 09:06:07 +0200 (CEST) X-Virus-Scanned: amavisd-new at bsd4all.org Received: from wan0.bsd4all.org ([127.0.0.1]) by newnas (newnas.bsd4all.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EWXbM8gAtAQW; Wed, 9 May 2018 09:06:05 +0200 (CEST) Received: from [192.168.1.65] (unknown [192.168.1.65]) by wan0.bsd4all.org (Postfix) with ESMTPSA id 0300A39E4; Wed, 9 May 2018 09:06:03 +0200 (CEST) From: peter.blok@bsd4all.org Message-Id: <15DBFD1E-BC64-4A10-9CE1-E9912544B17C@bsd4all.org> Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\)) Subject: Re: multiple if_ipsec Date: Wed, 9 May 2018 09:06:03 +0200 In-Reply-To: Cc: Victor Gamov , freebsd-net@freebsd.org To: Julian Elischer , "Andrey V. Elsukov" References: <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru> <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru> <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru> <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru> X-Mailer: Apple Mail (2.3445.6.18) X-SourceIP: 94.210.49.251 X-Ziggo-spambar: / X-Ziggo-spamscore: 0.0 X-Ziggo-spamreport: CMAE Analysis: v=2.3 cv=OaG28CbY c=1 sm=1 tr=0 a=7fK1ynn72W3Z/oi6DA4Tww==:17 a=VUJBJC2UJ8kA:10 a=6I5d2MoRAAAA:8 a=6Q3WNqvRAAAA:8 a=r9t_9WzKAAAA:8 a=Fsaiwhltdj_cwLRojYkA:9 a=QEXdDO2ut3YA:10 a=DCqonCTIV_0KDOlY67kA:9 a=0CPWN1uCAPU1MoaS:21 a=_W_S_7VecoQA:10 a=IjZwj45LgO3ly-622nXo:22 a=I8PBwKCn76L9oNdl0isp:22 a=oxKVjGcqyHVwCdVmF4Wu:22 none X-Ziggo-Spam-Status: No X-Spam-Status: No X-Spam-Flag: No Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2018 07:21:51 -0000 Andrey, I was planning to move towards Strongswan anyway. The 1st step (with 1 = interface worked great) Julian, The idea of having a jail as VPN end-point is going to help me = transition step by step and possibly have both racoon and strongswan = active. Thx, Peter > On 9 May 2018, at 03:08, Julian Elischer wrote: >=20 > On 8/5/18 9:51 pm, Andrey V. Elsukov wrote: >> On 08.05.2018 14:03, peter.blok@bsd4all.org wrote: >>> Hi Victor, >>>=20 >>> I=E2=80=99m struggling wit the same issue. My sainfo doesn=E2=80=99t = match unless I >>> use anonymous. >>>=20 >>> Hi Andrey, >>>=20 >>> What I don=E2=80=99t understand is why a =E2=80=9Ccatchall=E2=80=9D = policy is added instead >>> of the policy that matches the inner tunnel. >> This is because the how IPsec works in BSD network stack. >>=20 >> In simple words - outbound traffic is matched by security policy, >> inbound is matched by security association. >>=20 >> When a packet is going to be send from a host, the kernel checks >> security policies for match. If it is matched, a packet goes into = IPsec >> processing. Then IPsec code using given security policy does lookup = for >> matched security association. And some IPsec transform happens. >>=20 >> When a host receives a packet, it handled by network stack first. And >> if it has corresponding IPsec inner protocol (ESP, AH), it will be >> handled by IPsec code. A packet has embedded SPI, it is used for >> security association lookup. If corresponding SA is found, the IPsec >> code will apply revers IPsec transform to the packet. Then the kernel >> checks, that there is some security policy for that packet. >>=20 >> Now how if_ipsec(4) works. Security policies associated with = interface >> have configured requirements for tunnel mode with configured = addresses. >> Interfaces are designed for route based VPN, and when a packet is = going >> to be send through if_ipsec interface, its "output" routine uses >> security policy associated with interface and with configured = "reqid". >>=20 >> If there are no SAs configured with given reqid, the IPsec code will >> send ACQUIRE message to IKE and it should install SAs, that will be = used >> for IPsec transforms. >>=20 >> When a host receives a packet, it handled by network stack, then by >> IPsec code and when reverse transform is finished, IPsec code checks, = if >> packet was matched by tunnel mode SA it will be checked by if_ipsec >> input routine. If addresses and reqid from SA matched to if_ipsec >> configuration, it will be taken by if_ipsec interface. >>=20 >>=20 >>> What is supposed to happen here? Is the IKE daemon supposed to = update >>> the policy once started. >> In my understanding IKE is only supposed to install SAs for if_ipsec. >> It can't change these policies, because they are immutable. >>=20 >> I think for proper support of several if_ipsec interfaces racoon = needs >> some patches. But I have not spare time to do this job. >> I recommend to use strongswan, it has active developers that are >> responsive and may give some help at least. >>=20 >> There was the link with example, but it also uses only one interface: >> = https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec >>=20 > my answer was to create a jail to act as the endpoint of each vpn = using VIMAGE and then allow each jail to run its own raccoon. >=20 >=20 > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net = > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org = "