Date: Sun, 13 May 2018 01:37:21 +0200 From: Andreas Scherrer <ascherrer@gmail.com> To: freebsd-net@freebsd.org Subject: Site-to-site IPSec VPN using if_ipsec and racoon Message-ID: <951ef6f6-95d8-8832-1e7a-59fc90434029@gmail.com>
next in thread | raw e-mail | index | archive | help
Hi I am trying to configure a site to site VPN using the (new?) if_ipsec interfaces [1]. One endpoint is FreeBSD 11.1-RELEASE whereas the other will be a RPi (Raspbian 9.4 stretch running libreswan). The public IPs involved are all IPv6 and the goal is to tunnel IPv4 traffic. Currently I am struggling with the FreeBSD side (which is using racoon if that is relevant). The documentation [1] states: "When the if_ipsec interface is configured, it automatically creates special security policies. These policies can be used to acquire security associations from the IKE daemon, which are needed for establishing an IPsec tunnel." But it does not say HOW to do that. My interpretation of [2]'s statement: "If no security association is found, the packet is put on hold and the IKE daemon is asked to negotiate an appropriate one." is that it should somehow be automagic. But in my current configuration, that does not happen. I never see FreeBSD initiate any IKE traffic (500/udp) and 'setkey -D' always reports "No SAD entries.". I have the 'ipsec0' interface configured and I do see the SPD entry with 'setkey -D -P [-t]': ----- # setkey -D -P -t 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/<remote IPv6>-<local IPv6>/unique:100 spid=75 seq=3 pid=10410 scope=ifnet ifname=ipsec0 refcnt=1 ::/0[any] ::/0[any] any in ipsec esp/tunnel/<remote IPv6>-<local IPv6>/unique:100 spid=77 seq=2 pid=10410 scope=ifnet ifname=ipsec0 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/<local IPv6>-<remote IPv6>/unique:100 spid=76 seq=1 pid=10410 scope=ifnet ifname=ipsec0 refcnt=1 ::/0[any] ::/0[any] any out ipsec esp/tunnel/<local IPv6>-<remote IPv6>/unique:100 spid=78 seq=0 pid=10410 scope=ifnet ifname=ipsec0 refcnt=1 ----- And traffic to my test destination (192.168.112.1) is routed to 'ipsec0': ----- # route -n show 192.168.112.1 route to: 192.168.112.1 destination: 192.168.112.0 mask: 255.255.255.0 fib: 0 interface: ipsec0 flags: <UP,DONE,STATIC> recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 1400 1 0 ----- By applying some "reverse logic" to another statement in [2]: "When a matching policy is found, the kernel will look for a corresponding security association" I deduct that maybe for some reason my traffic does not match the existing policy. But I do not see (or understand) why? Any traffic through 'ipsec0' should match that policy, no? I am under the impression that this is one of the basic ideas of having 'ipsec0' in the first place ("it automatically creates special security policies")? The example on [1] uses 'setkey -c' to manually configure the SA which is something I do not want to (and cannot) do. Can anybody point me in the right direction (be it more documentation or a working config example)? That would be awesome. Best regards andreas Ps.: I have tried the "old" approach which I know better using 'gif' interfaces. With that I have managed to get racoon negotiate SAs for the same tunnel (i.e. with libreswan on the RPi). Unfortunately I cannot wrap my head around the routing with that approach (no 'gif' on Raspbian). And the documentation also mentions this as a limitation of 'gif' [3]: "you cannot usually use gif to talk with IPsec devices that use IPsec tunnel mode" [1] https://www.freebsd.org/cgi/man.cgi?query=if_ipsec [2] https://vincent.bernat.im/en/blog/2017-route-based-vpn [3] https://www.freebsd.org/cgi/man.cgi?query=gif -- Stell dir vor es geht und keiner kriegt's hin.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?951ef6f6-95d8-8832-1e7a-59fc90434029>