Date: Fri, 20 Apr 2018 11:17:27 +0300 From: Victor Gamov <vit@otcnet.ru> To: freebsd-net@freebsd.org Subject: multiple if_ipsec Message-ID: <b859ed18-e511-3640-4662-4242a53d999c@otcnet.ru>
next in thread | raw e-mail | index | archive | help
Hi All
I have FreeBSD box (11.1-STABLE FreeBSD 11.1-STABLE #0 r327786) and
simple configuration with two if_ipsec configured like
=====
ipsec25: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
description: -so: Sofy
tunnel inet IP-FreeBSD --> IP-Cisco-RTR-1
inet 10.10.98.6 --> 10.10.98.5 netmask 0xfffffffc
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
reqid: 25
groups: ipsec
ipsec30: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
description: -so: Kurskaya
tunnel inet IP-FreeBSD --> IP-Cisco-RTR-2
inet 10.10.98.1 --> 10.10.98.2 netmask 0xfffffffc
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
reqid: 30
groups: ipsec
=====
IPsec started with "flush; spdflush;" only config. FreeBSD setkey -DP
reports (IPv6 skipped)
=====
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/IP_Cisco_RTR_1-IP_FreeBSD/unique:25
spid=9 seq=7 pid=94296 scope=ifnet ifname=ipsec25
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/IP_Cisco_RTR_2-IP_FreeBSD/unique:30
spid=13 seq=5 pid=94296 scope=ifnet ifname=ipsec30
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/IP_FreeBSD-IP_Cisco_RTR_1-IP/unique:25
spid=10 seq=3 pid=94296 scope=ifnet ifname=ipsec25
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/IP_FreeBSD-IP_Cisco_RTR_2-IP/unique:30
spid=14 seq=1 pid=94296 scope=ifnet ifname=ipsec30
refcnt=1
=====
Then racoon.conf (from security/ipsec-tools-0.8.2_2) configured like
=====
remote "kur" {
exchange_mode main;
doi ipsec_doi;
situation identity_only;
my_identifier address IP-FreeBSD;
peers_identifier address IP-Cisco-RTR-2;
verify_identifier on;
nonce_size 16;
lifetime time 240 min; # sec,min,hour
initial_contact on;
# support_mip6 on;
support_proxy on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
remote "sofy" {
exchange_mode main;
doi ipsec_doi;
situation identity_only;
my_identifier address IP-FreeBSD;
peers_identifier address IP-Cisco-RTR-1;
verify_identifier on;
nonce_size 16;
lifetime time 240 min; # sec,min,hour
initial_contact on;
# support_mip6 on;
support_proxy on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous {
pfs_group 2;
lifetime time 24 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
=====
All local SA configured and established and remote side (Cisco routers)
report SA established too.
But traffic goes via only one ipsec-interface.
Can anybody explain where is my problem:
- FreeBSD misconfig
- racoon misconfig
- racoon not support multiple ipsec configuration
- something else
Thanks
--
CU,
Victor Gamov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b859ed18-e511-3640-4662-4242a53d999c>