Date: Sun, 13 May 2018 14:25:14 +0200 From: peter.blok@bsd4all.org To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: Victor Gamov <vit@otcnet.ru>, freebsd-net@freebsd.org, Eugene Grosbein <eugen@grosbein.net> Subject: Re: multiple if_ipsec Message-ID: <6A4E9825-36F9-4C09-9701-AD3DD8AE3084@bsd4all.org> In-Reply-To: <ef71721f-9d41-f08f-a806-64675ad47216@yandex.ru> References: <b859ed18-e511-3640-4662-4242a53d999c@otcnet.ru> <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <c2cb415b-bcde-c714-9412-103e674ce673@yandex.ru> <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru> <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru> <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru> <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru> <C6EF4FCA-CBA0-4068-A582-E3C99D209D0C@bsd4all.org> <d4aedb31-245b-b465-8979-2263bdea0ee3@yandex.ru> <ef71721f-9d41-f08f-a806-64675ad47216@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I have mixed types of configurations. I=E2=80=99ll give it a run next = week. So far I have tried a tunnel with if_ipsec and strongswan at one end and = gif and racoon at the other end. I have tried if_ipsec with strongswan = on both ends. I=E2=80=99ll start with recompiling racoon today and using it to see if = it breaks any existing stuff. Peter > On 13 May 2018, at 13:59, Andrey V. Elsukov <bu7cher@yandex.ru> wrote: >=20 > On 08.05.2018 16:51, Andrey V. Elsukov wrote: >> I think for proper support of several if_ipsec interfaces racoon = needs >> some patches. But I have not spare time to do this job. >> I recommend to use strongswan, it has active developers that are >> responsive and may give some help at least. >=20 > Hi, >=20 > Today I hacked ipsec-tools a bit, and made the patch that adds support > for multiple if_ipsec interfaces. >=20 > https://people.freebsd.org/~ae/patch-reqid.diff >=20 > You can put this patch into ipsec-tools/files/ directory and then > rebuild the package. I'm not sure about compatibility with generic > configurations, I tested only the case with two if_ipsec tunnels. >=20 > What it does: > * added new configuration option for sainfo section - "reqid NUM"; > * policy index was extended to contain reqid, so now racoon's security > policies from multiple interfaces don't overlapped; > * logging extended to print reqid in some places. >=20 > How it is expected to be used: >=20 > In racoon.conf you have several "remote IP-address {}" sections. Each > section should have "ph1id NUM" option. This option is used to select > corresponding "sainfo {}". You can have many "sainfo anonymous {}" > sections with different "remoteid NUM", where NUM should match to = "ph1id > NUM". Also you need to add "reqid N" option to these sainfo sections. > This reqid should match to value configured in if_ipsec interface. >=20 > I.e. "ph1id NUM" and "remoteid NUM" are used to create relation = between > "sainfo" and "remote" sections. And "requid N" options is used to = lookup > corresponding SP in SPDB and install proper SA with needed reqid. >=20 > The example based on your config: >=20 > remote 10.9.8.2 > { > exchange_mode main,aggressive; > doi ipsec_doi; > situation identity_only; >=20 > my_identifier address 10.9.8.3; > peers_identifier address 10.9.8.2; > ph1id 10982; >=20 > nonce_size 16; > initial_contact on; > proposal_check obey; # obey, strict, or claim > passive off; >=20 > proposal { > encryption_algorithm 3des; > hash_algorithm sha1; > authentication_method pre_shared_key; > dh_group 2; > } > } >=20 > remote 10.9.8.6 > { > exchange_mode main,aggressive; > doi ipsec_doi; > situation identity_only; >=20 > my_identifier address 10.9.8.3; > peers_identifier address 10.9.8.6; > ph1id 10986; >=20 > nonce_size 16; > initial_contact on; > proposal_check obey; > passive off; >=20 > proposal { > encryption_algorithm aes; > hash_algorithm sha256; > authentication_method pre_shared_key; > dh_group 2; > } > } >=20 > sainfo anonymous > { > remoteid 10982; > reqid 100; > lifetime time 24 hour; >=20 > pfs_group 2; > encryption_algorithm 3des; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } >=20 > sainfo anonymous > { > remoteid 10986; > reqid 200; > lifetime time 24 hour; >=20 > pfs_group 2; > encryption_algorithm aes; > authentication_algorithm hmac_sha256; > compression_algorithm deflate; > } >=20 > sainfo anonymous > { > lifetime time 30 min; >=20 > pfs_group 2; > encryption_algorithm des; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > } >=20 > --=20 > WBR, Andrey V. Elsukov >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6A4E9825-36F9-4C09-9701-AD3DD8AE3084>