Date: Sat, 14 Oct 2023 19:57:34 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 274469] if_ipsec cannot handle multiple connections from same reqid Message-ID: <bug-274469-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274469 Bug ID: 274469 Summary: if_ipsec cannot handle multiple connections from same reqid Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: ozkan.kirik@gmail.com On Linux, strongswan can assign unique if_id for each incoming connection belongs to same reqid (phase2) definition. By the way, you can create xfrm interface for each incoming CHILD_SA using up/down scripts. But on FreeBSD, only reqid could be used for if_ipsec creation. It will be perfect if it could support if_id.=20 The problem On FreeBSD: All the incoming connections gets SAME reqid accord= ing to the scenario and config given below. By the way, we need something like if_id in Linux. I tried setting reqid =3D 0 on swanctl.conf to assign it dynamically. But it takes only one reqid value and all incoming connections use same reqid. So = that we cannot seperate interfaces from each other. The usage scenario is explained below: - Host A is responder, which accepts multiple roadwarriors from single conn/child defination. - Remote ID is defined as "*.local" - Host B is initiator using Local ID "hostB.local" - Host C is initiator using Local ID "hostC.local" - There are too many initiators like this. - updown script on Host A should create a new if_ipsec for each initiator. - I want to create different if_ipsec interfaces for each remote host witho= ut defining statically in swanctl.conf. - It's possible in linux. Example strongswan config for Host A: responder { local_addrs =3D %any remote_addrs =3D %any pools =3D vip_pool local { id =3D responder.local auth =3D psk=20 } remote { id =3D *.local auth =3D psk=20 } children { phase2 { local_ts =3D 169.254.255.1 remote_ts =3D 0.0.0.0/0 updown =3D /scripts/updown.sh if_id_in =3D %unique if_id_out =3D %unique esp_proposals =3D aes128gcm8-prfmd5-modp1024 mode =3D tunnel }=20=20=20 } version =3D 2=20 proposals =3D aes128gcm8-prfmd5-modp1024 } --------------------------- --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-274469-227>