From owner-freebsd-net@freebsd.org Tue Feb 27 10:52:01 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C0AEAF39A45 for ; Tue, 27 Feb 2018 10:52:01 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward102p.mail.yandex.net (forward102p.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2A6906ECA1 for ; Tue, 27 Feb 2018 10:52:00 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback4j.mail.yandex.net (mxback4j.mail.yandex.net [IPv6:2a02:6b8:0:1619::10d]) by forward102p.mail.yandex.net (Yandex) with ESMTP id 88FC2430423E; Tue, 27 Feb 2018 13:51:57 +0300 (MSK) Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [2a02:6b8:0:1a2d::25]) by mxback4j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id mbEdsfLjHd-pvYOQUxl; Tue, 27 Feb 2018 13:51:57 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1519728717; bh=/2VIoGyH6MKt4vOzZMGivpAGNnsi6OCFhtAYkGQks00=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=U0yVEBfjFWT0s4apqMz2hg3yB0AlAlpYMWkaWr6Mq+Wnpe8OIrQaRKjxIsU42oftE 1Am8c7mnOmrqpj/7FObP/smay10ntdBDyEEMvHcGiW0JucnAfSvNAzfdr6gGKRZ0Pn 8aD6Va+nuMNfDgGkGCubHATC4VK4FYzrNaQkyl+8= Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id OOUdvVTPhE-puRKp33F; Tue, 27 Feb 2018 13:51:56 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1519728716; bh=/2VIoGyH6MKt4vOzZMGivpAGNnsi6OCFhtAYkGQks00=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=jbfL4T3qn3qrrqgAWjFNBvU2FmZSmf9x5mfl0JB/r9vZUugZordcRs+toTS8f7EPi 9qTJMzC4h9id4My4MbdBa8apywfxPbaV1HPRE2fpuL0jDA2XePW361j5y5eA4FdiD2 YjrChrQMyLAOlPQkDLYdUiN0E8/NiXUgRYZG+0jA= Authentication-Results: smtp1o.mail.yandex.net; dkim=pass header.i=@yandex.ru Subject: Re: if_ipsec(4) and IKEv1 [security/ipsec-tools, racoon.conf] To: Harry Schmalzbauer , freebsd-net@freebsd.org References: <5A952B38.8060007@omnilan.de> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <04174d98-c35d-b88b-d0db-ac579b153c57@yandex.ru> Date: Tue, 27 Feb 2018 13:50:25 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <5A952B38.8060007@omnilan.de> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Lw3hymjuzrREi6ovSVIzKNpo3iH1EJzhf" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Feb 2018 10:52:02 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Lw3hymjuzrREi6ovSVIzKNpo3iH1EJzhf Content-Type: multipart/mixed; boundary="88k8H1ddOXqwwgtq65dlR9WMczdAN8niA"; protected-headers="v1" From: "Andrey V. Elsukov" To: Harry Schmalzbauer , freebsd-net@freebsd.org Message-ID: <04174d98-c35d-b88b-d0db-ac579b153c57@yandex.ru> Subject: Re: if_ipsec(4) and IKEv1 [security/ipsec-tools, racoon.conf] References: <5A952B38.8060007@omnilan.de> In-Reply-To: <5A952B38.8060007@omnilan.de> --88k8H1ddOXqwwgtq65dlR9WMczdAN8niA Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 27.02.2018 12:56, Harry Schmalzbauer wrote: > Hello, >=20 > I'm out of ideas how to quick-start with if_ipsec(4) and IKEv1. >=20 > I'm familar with security/ipsec-tools, but I couldn't find out how > racoon(8) would interact with cloned if_ipsec(4) interfaces yet. You need to manually configure if_ipsec interface, i.e. assign tunnel addresses and bring it up. After that you need to configure racoon to reply for ACQUIRE messages when some traffic will go trough configured tunnel. So, you configure if_ipsec tunnel and it creates security policies, these policies will produce ACQUIRE requests to racoon and racoon should reply and this will produce needed security associations. > Also, how to tell racoon(8) to generate such tunnel interfaces, hence > policies? > I guess the latter isn't implemented in racoon(8) (yet). I think there are not any IKE daemons that can do this. > But is racoon(8) supposed to work with static policies generated by > if_ipsec(4)? Yes, at least for one tunnel it worked for me. Probably it is possible for several tunnels too. --=20 WBR, Andrey V. Elsukov --88k8H1ddOXqwwgtq65dlR9WMczdAN8niA-- --Lw3hymjuzrREi6ovSVIzKNpo3iH1EJzhf Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlqVN/EACgkQAcXqBBDI oXqd+gf9HuOEQOQQ8bMfXkDARLccHDJ4IvJT5c62TTLo6IiUZlRYMm9R062WjS3Y VeK66BHZ9j817W4PSQgouN0hkJDCa9reBNqXRsXPgTIY1kr49XRDUORQcTv8pp2A C7x7BQquww6fBmDLmHNbIU3DwLnzV6PilKh4SjNLUlf0RePKV0wgxTt80dtTHoRo 5kV60Xuc2uyO24K7e7unDuen4t6HELq0rzgQVH0sZKZvyCnrGtb3lJl4om5dojS0 sC727YxnI+eu9ZTnrlRRblrHoXUzzOn60jHOzmb7fp1tY3hZfyp65MCodGESAMER 0m5Wj6TGkcdpFQ7U6vidzidRQYJq5A== =VMbD -----END PGP SIGNATURE----- --Lw3hymjuzrREi6ovSVIzKNpo3iH1EJzhf--