From owner-freebsd-net@freebsd.org Fri Apr 20 08:27:20 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C1B3EFB0FED for ; Fri, 20 Apr 2018 08:27:20 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from mail.otcnet.ru (mail.otcnet.ru [194.190.78.3]) by mx1.freebsd.org (Postfix) with ESMTP id 5D0A66D7A8 for ; Fri, 20 Apr 2018 08:27:20 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from Victors-MacBook-Air-2.local (unknown [195.91.148.145]) by mail.otcnet.ru (Postfix) with ESMTPSA id 65A1A596625 for ; Fri, 20 Apr 2018 11:17:36 +0300 (MSK) To: freebsd-net@freebsd.org From: Victor Gamov Subject: multiple if_ipsec Organization: OTCnet Message-ID: Date: Fri, 20 Apr 2018 11:17:27 +0300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Apr 2018 08:27:20 -0000 Hi All I have FreeBSD box (11.1-STABLE FreeBSD 11.1-STABLE #0 r327786) and simple configuration with two if_ipsec configured like ===== ipsec25: flags=8051 metric 0 mtu 1400 description: -so: Sofy tunnel inet IP-FreeBSD --> IP-Cisco-RTR-1 inet 10.10.98.6 --> 10.10.98.5 netmask 0xfffffffc nd6 options=29 reqid: 25 groups: ipsec ipsec30: flags=8051 metric 0 mtu 1400 description: -so: Kurskaya tunnel inet IP-FreeBSD --> IP-Cisco-RTR-2 inet 10.10.98.1 --> 10.10.98.2 netmask 0xfffffffc nd6 options=29 reqid: 30 groups: ipsec ===== IPsec started with "flush; spdflush;" only config. FreeBSD setkey -DP reports (IPv6 skipped) ===== 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/IP_Cisco_RTR_1-IP_FreeBSD/unique:25 spid=9 seq=7 pid=94296 scope=ifnet ifname=ipsec25 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/IP_Cisco_RTR_2-IP_FreeBSD/unique:30 spid=13 seq=5 pid=94296 scope=ifnet ifname=ipsec30 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/IP_FreeBSD-IP_Cisco_RTR_1-IP/unique:25 spid=10 seq=3 pid=94296 scope=ifnet ifname=ipsec25 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/IP_FreeBSD-IP_Cisco_RTR_2-IP/unique:30 spid=14 seq=1 pid=94296 scope=ifnet ifname=ipsec30 refcnt=1 ===== Then racoon.conf (from security/ipsec-tools-0.8.2_2) configured like ===== remote "kur" { exchange_mode main; doi ipsec_doi; situation identity_only; my_identifier address IP-FreeBSD; peers_identifier address IP-Cisco-RTR-2; verify_identifier on; nonce_size 16; lifetime time 240 min; # sec,min,hour initial_contact on; # support_mip6 on; support_proxy on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } remote "sofy" { exchange_mode main; doi ipsec_doi; situation identity_only; my_identifier address IP-FreeBSD; peers_identifier address IP-Cisco-RTR-1; verify_identifier on; nonce_size 16; lifetime time 240 min; # sec,min,hour initial_contact on; # support_mip6 on; support_proxy on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 2; lifetime time 24 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate; } ===== All local SA configured and established and remote side (Cisco routers) report SA established too. But traffic goes via only one ipsec-interface. Can anybody explain where is my problem: - FreeBSD misconfig - racoon misconfig - racoon not support multiple ipsec configuration - something else Thanks -- CU, Victor Gamov