From nobody Sun Apr 9 07:21:15 2023 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PvNnh5Qp5z441ph for ; Sun, 9 Apr 2023 07:21:28 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PvNnh0x5rz3NSC for ; Sun, 9 Apr 2023 07:21:28 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=CeJ+OF8D; spf=pass (mx1.freebsd.org: domain of ozkan.kirik@gmail.com designates 2607:f8b0:4864:20::b2f as permitted sender) smtp.mailfrom=ozkan.kirik@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-yb1-xb2f.google.com with SMTP id y69so8951020ybe.2 for ; Sun, 09 Apr 2023 00:21:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681024887; x=1683616887; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=4BSXDjkLi22yYjFOU27fe+ZeDMmPAAZl3T6OPcaswS8=; b=CeJ+OF8DMGpoAIZN62gV8ZetVkjYF/Xo/F8Oi3DkuWtp073tTj5YtyQ1C1M+Xm4Xn/ 5GFmL368fOoz6kR1msp8PbJSK7T3oea2SYiUPC+VtJmVIkWEvlu+40f+MmPBCRR86vWq MPtx3vA1l8ONvrO1tT6gfCRarl+CxnFwvxS6a9ECYZ0+VsT1Gp3jgP3Uav0zWaWtiZLm tSc3VweGL5R/eSdWyIiMzpasNX/YWtYCV1te867t3VTWB7mXsQVb0jEXA9xuZd2Pn6t5 gChCar1h2jfuJKLt92iqxTLToHYpUjEHoQDQbCDZrnOOpJqSoyMaKvDg7JFMc+Apw6zK axxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681024887; x=1683616887; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=4BSXDjkLi22yYjFOU27fe+ZeDMmPAAZl3T6OPcaswS8=; b=esbSrejYWAG+5lsiY6a1nFFXqnMzwtriwL9E1J4VOKrQIRPaPWmxlwMFV8poj2+14j 9KXQlDqnNweRCZ9ohewzVeaNpGZT8YWIpiM4Jgv5XLl1BG1ROKT+6BJT2P/3ufQsCcXC XyCO4mH4ImhRUG2FIuyyVG+WiOxhMvG8y0FczuNbULv0t7PBPnfNld8XzKkX8uqKbm8d uDSrCfseBd6R+z7iQ4yiiWEs0ymjn2qELXytxUWd8uLRJmECCNGOva+vAC718KuNVnsv pVHE9Novc6Mu0LZ5odFPBFsMOur9t+cDNWA13JREH0maGMGTyqoE+DPR3J0Ugit88JlE qfwQ== X-Gm-Message-State: AAQBX9dFIKsVMx2xmPGL99yT8g58MUFjMDbubLxKvPOVQmSt58vJRXxD YnpJeU3EZU0bUBKoSTCWgpoUgHgJePhQOBTsMdzSu6ysYAc= X-Google-Smtp-Source: AKy350YMSSXo2tn/ktt2rhESZtHtbkSwrbJ0/YKRdqgxjEq0tpLlDqVYLynHsKqo40IefEsWT7oUPhQiorISIOg+qBQ= X-Received: by 2002:a25:6c07:0:b0:b8b:eea7:525b with SMTP id h7-20020a256c07000000b00b8beea7525bmr4928806ybc.7.1681024886881; Sun, 09 Apr 2023 00:21:26 -0700 (PDT) List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= Date: Sun, 9 Apr 2023 10:21:15 +0300 Message-ID: Subject: IPsec VTI for Roadwarriors. reqid doesn't working for instantiating CHILD_SAs more than once. To: FreeBSD Net Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-4.00 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; RCPT_COUNT_ONE(0.00)[1]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::b2f:from]; ARC_NA(0.00)[]; TAGGED_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-net@freebsd.org]; DKIM_TRACE(0.00)[gmail.com:+]; TO_DN_ALL(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4PvNnh0x5rz3NSC X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N Hi, I'm using FreeBSD stable/13 and strongSwan 5.9. I have configured my server as IPsec responder. Variadic number of roadwarriors are connecting to this IPsec server. So both Phase1 and Phase2 connections are instantiating. IPsec connections could be established without any errors. Each roadwarrior has a network behind it. I want to create a VTI interface for each incoming IPsec connection. FreeBSD if_ipsec supports only "reqid" for making a relationship with strongswan. According to the swanctl.conf, reqid doesn't change if the connection is instantiated more then once. I tried it, but the "reqid" is always same for all the instantiated CHILD_SAs. On Linux, "if_id_in", "if_id_out" properties provide a solution with IP XFRM interfaces. updown script creates a new IP XFRM interface with an unique if_id pair provided by strongswan daemon. Here the swanctl.conf configuration works on Linux: connections { phase1-listener { local_addrs = %any remote_addrs = %any mobike = yes pools = ip_pool rekey_time = 14400s reauth_time = 0s local { id = listener.ipsec auth = psk } remote { id = *.branch auth = psk } children { phase2-instantiatable { local_ts = 0.0.0.0/0 remote_ts = 0.0.0.0/0 updown = /etc/swanctl/updown_xfrm.sh if_id_in = %unique if_id_out = %unique rekey_time = 3600s start_action = trap close_action = trap dpd_action = trap ipcomp = no esp_proposals = aes128gcm16-prfsha1-modp2048 mode = tunnel } } version = 2 dpd_delay = 0s proposals = aes128gcm16-prfsha1-modp2048 } } secrets { ike-1 { id-1 = *.branch secret = verycomplexsecret } } pools { ip_pool { addrs = 169.254.6.11-169.254.6.254 } } ---------------- The updown_xfrm.sh script creates the XFRM interface with the command template below: ip link add "${XFRM_INTF}" type xfrm dev ${PLUTO_INTERFACE} if_id ${PLUTO_IF_ID_IN} Is it possible to make it work on FreeBSD ? Regards