From owner-freebsd-net@freebsd.org Sun May 13 12:25:28 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B4EE3FD9BA2 for ; Sun, 13 May 2018 12:25:28 +0000 (UTC) (envelope-from peter.blok@bsd4all.org) Received: from smtpq1.mnd.mail.iss.as9143.net (smtpq1.mnd.mail.iss.as9143.net [212.54.34.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 196DC6BE53 for ; Sun, 13 May 2018 12:25:27 +0000 (UTC) (envelope-from peter.blok@bsd4all.org) Received: from [212.54.34.120] (helo=smtp12.mnd.mail.iss.as9143.net) by smtpq1.mnd.mail.iss.as9143.net with esmtp (Exim 4.86_2) (envelope-from ) id 1fHq3z-0005io-1v; Sun, 13 May 2018 14:25:19 +0200 Received: from 5ed231fb.cm-7-3a.dynamic.ziggo.nl ([94.210.49.251] helo=wan0.bsd4all.org) by smtp12.mnd.mail.iss.as9143.net with esmtp (Exim 4.86_2) (envelope-from ) id 1fHq3z-0005Yz-6z; Sun, 13 May 2018 14:25:19 +0200 Received: from newnas (localhost [127.0.0.1]) by wan0.bsd4all.org (Postfix) with ESMTP id CB04A3ACA; Sun, 13 May 2018 14:25:16 +0200 (CEST) X-Virus-Scanned: amavisd-new at bsd4all.org Received: from wan0.bsd4all.org ([127.0.0.1]) by newnas (newnas.bsd4all.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xy7zNUuEz960; Sun, 13 May 2018 14:25:15 +0200 (CEST) Received: from [192.168.1.65] (unknown [192.168.1.65]) by wan0.bsd4all.org (Postfix) with ESMTPSA id 2E6883AC6; Sun, 13 May 2018 14:25:15 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\)) Subject: Re: multiple if_ipsec From: peter.blok@bsd4all.org In-Reply-To: Date: Sun, 13 May 2018 14:25:14 +0200 Cc: Victor Gamov , freebsd-net@freebsd.org, Eugene Grosbein Content-Transfer-Encoding: quoted-printable Message-Id: <6A4E9825-36F9-4C09-9701-AD3DD8AE3084@bsd4all.org> References: <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru> <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru> <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru> <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru> To: "Andrey V. Elsukov" X-Mailer: Apple Mail (2.3445.6.18) X-SourceIP: 94.210.49.251 X-Ziggo-spambar: / X-Ziggo-spamscore: 0.0 X-Ziggo-spamreport: CMAE Analysis: v=2.3 cv=FIE1Odgs c=1 sm=1 tr=0 a=7fK1ynn72W3Z/oi6DA4Tww==:17 a=IkcTkHD0fZMA:10 a=VUJBJC2UJ8kA:10 a=vaJtXVxTAAAA:8 a=6I5d2MoRAAAA:8 a=_LEnaR2r4bOprvAO4UcA:9 a=GJxeZbURkCQu0hOe:21 a=-FWl9nLuivxoekpE:21 a=QEXdDO2ut3YA:10 a=IjZwj45LgO3ly-622nXo:22 none X-Ziggo-Spam-Status: No X-Spam-Status: No X-Spam-Flag: No X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 May 2018 12:25:29 -0000 Hi, I have mixed types of configurations. I=E2=80=99ll give it a run next = week. So far I have tried a tunnel with if_ipsec and strongswan at one end and = gif and racoon at the other end. I have tried if_ipsec with strongswan = on both ends. I=E2=80=99ll start with recompiling racoon today and using it to see if = it breaks any existing stuff. Peter > On 13 May 2018, at 13:59, Andrey V. Elsukov wrote: >=20 > On 08.05.2018 16:51, Andrey V. Elsukov wrote: >> I think for proper support of several if_ipsec interfaces racoon = needs >> some patches. But I have not spare time to do this job. >> I recommend to use strongswan, it has active developers that are >> responsive and may give some help at least. >=20 > Hi, >=20 > Today I hacked ipsec-tools a bit, and made the patch that adds support > for multiple if_ipsec interfaces. >=20 > https://people.freebsd.org/~ae/patch-reqid.diff >=20 > You can put this patch into ipsec-tools/files/ directory and then > rebuild the package. I'm not sure about compatibility with generic > configurations, I tested only the case with two if_ipsec tunnels. >=20 > What it does: > * added new configuration option for sainfo section - "reqid NUM"; > * policy index was extended to contain reqid, so now racoon's security > policies from multiple interfaces don't overlapped; > * logging extended to print reqid in some places. >=20 > How it is expected to be used: >=20 > In racoon.conf you have several "remote IP-address {}" sections. Each > section should have "ph1id NUM" option. This option is used to select > corresponding "sainfo {}". You can have many "sainfo anonymous {}" > sections with different "remoteid NUM", where NUM should match to = "ph1id > NUM". Also you need to add "reqid N" option to these sainfo sections. > This reqid should match to value configured in if_ipsec interface. >=20 > I.e. "ph1id NUM" and "remoteid NUM" are used to create relation = between > "sainfo" and "remote" sections. And "requid N" options is used to = lookup > corresponding SP in SPDB and install proper SA with needed reqid. >=20 > The example based on your config: >=20 > remote 10.9.8.2 > { > exchange_mode main,aggressive; > doi ipsec_doi; > situation identity_only; >=20 > my_identifier address 10.9.8.3; > peers_identifier address 10.9.8.2; > ph1id 10982; >=20 > nonce_size 16; > initial_contact on; > proposal_check obey; # obey, strict, or claim > passive off; >=20 > proposal { > encryption_algorithm 3des; > hash_algorithm sha1; > authentication_method pre_shared_key; > dh_group 2; > } > } >=20 > remote 10.9.8.6 > { > exchange_mode main,aggressive; > doi ipsec_doi; > situation identity_only; >=20 > my_identifier address 10.9.8.3; > peers_identifier address 10.9.8.6; > ph1id 10986; >=20 > nonce_size 16; > initial_contact on; > proposal_check obey; > passive off; >=20 > proposal { > encryption_algorithm aes; > hash_algorithm sha256; > authentication_method pre_shared_key; > dh_group 2; > } > } >=20 > sainfo anonymous > { > remoteid 10982; > reqid 100; > lifetime time 24 hour; >=20 > pfs_group 2; > encryption_algorithm 3des; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } >=20 > sainfo anonymous > { > remoteid 10986; > reqid 200; > lifetime time 24 hour; >=20 > pfs_group 2; > encryption_algorithm aes; > authentication_algorithm hmac_sha256; > compression_algorithm deflate; > } >=20 > sainfo anonymous > { > lifetime time 30 min; >=20 > pfs_group 2; > encryption_algorithm des; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > } >=20 > --=20 > WBR, Andrey V. Elsukov >=20