Date: Mon, 23 Apr 2018 15:10:29 +0300 From: Victor Gamov <vit@otcnet.ru> To: freebsd-net@freebsd.org Subject: Re: multiple if_ipsec Message-ID: <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru> In-Reply-To: <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru> References: <b859ed18-e511-3640-4662-4242a53d999c@otcnet.ru> <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <c2cb415b-bcde-c714-9412-103e674ce673@yandex.ru> <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23/04/2018 14:13, Andrey V. Elsukov wrote: > On 21.04.2018 19:16, Victor Gamov wrote: >> When I change ipsec-interfaces creation order then only last created >> interface worked fine again and previously configured interfaces does >> not work. >> >> >> And very interesting fact: when I ping from remote 10.10.98.5 for >> example to FreeBSD 10.10.98.6 then no ICMP-request coming over >> ipsec-interface but ICMP-reply outgoing via this ipsec-interface (but >> not delivered to 10.10.98.5) >> >> >> Any ideas? > > I'm lack of any ideas. For further debugging I need to see the output of > # sysctl net. | grep ipsec > # setkey -DP > # setkey -D > # ifconfig > > And probably racoon's logs. Hi Andrey! First of all -- many thanks for your responses! Configs are followed # sysctl net. | grep ipsec ===== net.inet.ipsec.def_policy: 1 net.inet.ipsec.esp_trans_deflev: 1 net.inet.ipsec.esp_net_deflev: 1 net.inet.ipsec.ah_trans_deflev: 1 net.inet.ipsec.ah_net_deflev: 1 net.inet.ipsec.ah_cleartos: 1 net.inet.ipsec.ah_offsetmask: 0 net.inet.ipsec.dfbit: 0 net.inet.ipsec.ecn: 0 net.inet.ipsec.debug: 0 net.inet.ipsec.filtertunnel: 0 net.inet.ipsec.natt_cksum_policy: 0 net.inet.ipsec.check_policy_history: 0 net.inet.ipsec.crypto_support: 50331648 net.inet6.ipsec6.def_policy: 1 net.inet6.ipsec6.esp_trans_deflev: 1 net.inet6.ipsec6.esp_net_deflev: 1 net.inet6.ipsec6.ah_trans_deflev: 1 net.inet6.ipsec6.ah_net_deflev: 1 net.inet6.ipsec6.ecn: 0 net.inet6.ipsec6.debug: 0 net.inet6.ipsec6.filtertunnel: 0 ===== # setkey -DP | grep -A 4 '^0' ===== 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/__Cisco_30__-__FreeBSD_IP__/unique:30 spid=1 seq=11 pid=99239 scope=ifnet ifname=ipsec30 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/__Cisco_26__-__FreeBSD_IP__/unique#16385 spid=5 seq=9 pid=99239 scope=ifnet ifname=ipsec26 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/__Cisco_25__-__FreeBSD_IP__/unique:26 spid=9 seq=7 pid=99239 scope=ifnet ifname=ipsec25 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/__FreeBSD_IP__-__Cisco_30__/unique:30 spid=2 seq=5 pid=99239 scope=ifnet ifname=ipsec30 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/__FreeBSD_IP__-__Cisco_26__/unique#16385 spid=6 seq=3 pid=99239 scope=ifnet ifname=ipsec26 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/__FreeBSD_IP__-__Cisco_25__/unique:26 spid=10 seq=1 pid=99239 scope=ifnet ifname=ipsec25 refcnt=1 ===== # setkey -D ===== __FreeBSD_IP__ __Cisco_30__ esp mode=tunnel spi=2124688285(0x7ea42b9d) reqid=26(0x0000001a) E: rijndael-cbc 6ca42c3b c24ce0ec f3f676c8 c9b9e72d fde63423 3f957b0c ee5da59d dce8a66d A: hmac-sha1 2adb7dfb 26d5de00 2fdd9a21 f63701ef 59d95a1a seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Apr 23 14:02:03 2018 current: Apr 23 14:17:40 2018 diff: 937(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=5 pid=95677 refcnt=1 __FreeBSD_IP__ __Cisco_25__ esp mode=tunnel spi=153891647(0x092c333f) reqid=26(0x0000001a) E: rijndael-cbc 8f9905fe 6a9cfc76 a0da354b 53a7f901 298dca43 b5feda65 3be012e7 08835553 A: hmac-sha1 aa2ec447 0e6b36e2 23ba9b27 9d0ecc05 4513af70 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Apr 23 13:40:24 2018 current: Apr 23 14:17:40 2018 diff: 2236(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=4 pid=95677 refcnt=1 __Cisco_25__ __FreeBSD_IP__ esp mode=tunnel spi=21918183(0x014e71e7) reqid=26(0x0000001a) E: rijndael-cbc 43e8f54a 0bdda6b5 41a637d5 4469973d 5b3dc8d0 37022187 43c86f0c 34054df8 A: hmac-sha1 cf08a56a beead8b8 e637a14a 5fdbde3d b8c71192 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Apr 23 13:40:24 2018 current: Apr 23 14:17:40 2018 diff: 2236(s) hard: 3600(s) soft: 2880(s) last: Apr 23 13:40:25 2018 hard: 0(s) soft: 0(s) current: 46900(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 719 hard: 0 soft: 0 sadb_seq=3 pid=95677 refcnt=1 __FreeBSD_IP__ __Cisco_26__ esp mode=tunnel spi=2471238029(0x934c198d) reqid=26(0x0000001a) E: rijndael-cbc 01b3235e 0fe554d3 6dbcb505 bb34d511 93f8ee6f b0b15f43 077c411a afdb1b3b A: hmac-sha1 29ab22bd 2c4f0ade e1478e19 0ecf423f ef155ff3 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Apr 23 13:42:29 2018 current: Apr 23 14:17:40 2018 diff: 2111(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=2 pid=95677 refcnt=1 __Cisco_26__ __FreeBSD_IP__ esp mode=tunnel spi=103689330(0x062e2c72) reqid=26(0x0000001a) E: rijndael-cbc 27936832 275a949a a156336c dbc049e1 3a88218a 1f23351f 54eb336d 8381bf0b A: hmac-sha1 8ed4e3a6 7d3d5b25 0c167123 fc8052a5 43738cf8 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Apr 23 13:42:29 2018 current: Apr 23 14:17:40 2018 diff: 2111(s) hard: 3600(s) soft: 2880(s) last: Apr 23 13:42:33 2018 hard: 0(s) soft: 0(s) current: 27360(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 456 hard: 0 soft: 0 sadb_seq=1 pid=95677 refcnt=1 __Cisco_30__ __FreeBSD_IP__ esp mode=tunnel spi=42561509(0x02896fe5) reqid=26(0x0000001a) E: rijndael-cbc a9c9d21a b09f705b fbf33201 881b27af a23ea9fa 85085847 b4b50418 54d6c739 A: hmac-sha1 7994e8dc ece0c8e7 434ac694 b0fc7952 bc1e01b0 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Apr 23 14:02:03 2018 current: Apr 23 14:17:40 2018 diff: 937(s) hard: 3600(s) soft: 2880(s) last: Apr 23 14:02:05 2018 hard: 0(s) soft: 0(s) current: 19644(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 301 hard: 0 soft: 0 sadb_seq=0 pid=95677 refcnt=1 ===== # ifconfig -au ===== em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: -LAN options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 00:50:56:b0:81:ac hwaddr 00:50:56:b0:81:ac inet 192.168.10.130 netmask 0xffffff00 broadcast 192.168.10.255 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: -WAN options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 00:50:56:b0:bf:de hwaddr 00:50:56:b0:bf:de inet __FreeBSD_IP__ netmask 0xffffffe0 broadcast __FreeBSD_IP_broadcast__ nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: lo ipsec30: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400 description: -so: Kur tunnel inet __FreeBSD_IP__ --> __Cisco_30__ inet 10.10.98.1 --> 10.10.98.2 netmask 0xfffffffc nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> reqid: 30 groups: ipsec ipsec26: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400 description: -so: Mur tunnel inet __FreeBSD_IP__ --> __Cisco_26__ inet 10.10.98.9 --> 10.10.98.10 netmask 0xfffffffc nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> reqid: 16385 groups: ipsec ipsec25: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400 description: -so: Sofy tunnel inet __FreeBSD_IP__ --> __Cisco_25__ inet 10.10.98.5 --> 10.10.98.6 netmask 0xfffffffc nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> reqid: 26 groups: ipsec ===== Racoon launched with debug now and sometimes I've got DEBUG messages ===== racoon: DEBUG: no such a SA found: ESP/Tunnel __Cisco_30__[500]->__FreeBSD_IP__[500] spi=198258211(0xbd12e23) racoon: DEBUG: no such a SA found: ESP/Tunnel __Cisco_25__[500]->__FreeBSD_IP__[[500] spi=2471238029(0x934c198d) ===== with many FreeBSD/Cisco IP conbinations. And sometimes: ===== racoon: DEBUG: check spi(packet)=153891647 spi(db)=738738094. racoon: DEBUG: check spi(packet)=153891647 spi(db)=153891647. racoon: DEBUG: purged 1 SAs. racoon: DEBUG: purged SAs. racoon: DEBUG: pk_recv: retry[0] recv() racoon: DEBUG: DELETE message is not interesting because the message was originated by me. racoon: DEBUG: pk_recv: retry[0] recv() racoon: DEBUG: got pfkey ACQUIRE message ===== Regardless this messages ping still works fine but for last configured ipsec-interface -- CU, Victor Gamov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?112ea6c0-1927-5f47-24c7-6888295496cf>