From owner-freebsd-net@freebsd.org Tue May 8 13:53:53 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 414E4FB6D87 for ; Tue, 8 May 2018 13:53:53 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward102o.mail.yandex.net (forward102o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::602]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AE83870872 for ; Tue, 8 May 2018 13:53:52 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback18j.mail.yandex.net (mxback18j.mail.yandex.net [IPv6:2a02:6b8:0:1619::94]) by forward102o.mail.yandex.net (Yandex) with ESMTP id 145B85A01EDD; Tue, 8 May 2018 16:53:34 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback18j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id 4AleJzJKvS-rXCKuMbD; Tue, 08 May 2018 16:53:34 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1525787614; bh=rjsycA23vIPE8+iZdiBRnRASQKbml6Hsfix6+B0mjNA=; h=Subject:To:Cc:References:From:Message-ID:Date:In-Reply-To; b=pnLvAL9HHVLGmh9mTUaDhpVIYKauY/dX/nJLejMqEwze2+H7vcu2AH9+n0Avrpt0w ehFaGsYGRHJzdfA9wpB30sIe6BcvE3H+xizpdyQiZprb2Hh9C3kPh0QIcd1AwUTvuD DAk6+3WltWPwZdvSCvDx+uq1TVpt23XDeoGpKg2Q= Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id oTqjrdifGv-rWwCciHo; Tue, 08 May 2018 16:53:32 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1525787612; bh=rjsycA23vIPE8+iZdiBRnRASQKbml6Hsfix6+B0mjNA=; h=Subject:To:Cc:References:From:Message-ID:Date:In-Reply-To; b=vmjtHEtSYLlg2xtS3KB1VDcUkfN9ASOT8jh5rFChIgnMuwsLc+5ybMVSZRBlk6d8r 5+ake/wa1TosgSZmaIyrus/5yg4Oo0TOJ+wpMBlfRFfArihisDm1wRc63xW/ueNUXg wOnIY0edN08tw8IpGaWpPborWsHPoKp8qkR6l7ts= Authentication-Results: smtp3o.mail.yandex.net; dkim=pass header.i=@yandex.ru Subject: Re: multiple if_ipsec To: peter.blok@bsd4all.org, Victor Gamov Cc: freebsd-net@freebsd.org References: <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru> <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru> <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru> <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata= xsBNBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB AAHNIkFuZHJleSBWLiBFbHN1a292IDxhZUBmcmVlYnNkLm9yZz7CwHsEEwECACUCGwMGCwkI BwMCBhUIAgkKCwQWAgMBAh4BAheABQJMB/ruAhkBAAoJEAHF6gQQyKF6MLwH/3Ri/TZl9uo0 SepYWXOnxL6EaDVXDA+dLb1eLKC4PRBBjX29ttQ0KaWapiE6y5/AfzOPmRtHLrHYHjd/aiHX GMLHcYRXD+5GvdkK8iMALrZ28X0JXyuuZa8rAxWIWmCbYHNSBy2unqWgTI04Erodk90IALgM 9JeHN9sFqTM6zalrMnTzlcmel4kcjT3lyYw3vOKgoYLtsLhKZSbJoVVVlvRlGBpHFJI5AoYJ SyfXoN0rcX6k9X7Isp2K50YjqxV4v78xluh1puhwZyC0p8IShPrmrp9Oy9JkMX90o6UAXdGU KfdExJuGJfUZOFBTtNIMNIAKfMTjhpRhxONIr0emxxDOwE0ETAEXWQEIAJ2p6l9LBoqdH/0J PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+ LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAcLAXwQYAQIACQUCTAEXWQIbDAAK CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i Message-ID: Date: Tue, 8 May 2018 16:51:07 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="HAWhf2R19AREMOilE2Yw68DMUt4XLOWCw" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2018 13:53:53 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --HAWhf2R19AREMOilE2Yw68DMUt4XLOWCw Content-Type: multipart/mixed; boundary="ilGIHn5BgWENOorTeQ5TRZLoFwc6EV9PS"; protected-headers="v1" From: "Andrey V. Elsukov" To: peter.blok@bsd4all.org, Victor Gamov Cc: freebsd-net@freebsd.org Message-ID: Subject: Re: multiple if_ipsec References: <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru> <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru> <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru> <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru> In-Reply-To: --ilGIHn5BgWENOorTeQ5TRZLoFwc6EV9PS Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 08.05.2018 14:03, peter.blok@bsd4all.org wrote: > Hi Victor, >=20 > I=E2=80=99m struggling wit the same issue. My sainfo doesn=E2=80=99t ma= tch unless I > use anonymous. >=20 > Hi Andrey, >=20 > What I don=E2=80=99t understand is why a =E2=80=9Ccatchall=E2=80=9D pol= icy is added instead > of the policy that matches the inner tunnel. This is because the how IPsec works in BSD network stack. In simple words - outbound traffic is matched by security policy, inbound is matched by security association. When a packet is going to be send from a host, the kernel checks security policies for match. If it is matched, a packet goes into IPsec processing. Then IPsec code using given security policy does lookup for matched security association. And some IPsec transform happens. When a host receives a packet, it handled by network stack first. And if it has corresponding IPsec inner protocol (ESP, AH), it will be handled by IPsec code. A packet has embedded SPI, it is used for security association lookup. If corresponding SA is found, the IPsec code will apply revers IPsec transform to the packet. Then the kernel checks, that there is some security policy for that packet. Now how if_ipsec(4) works. Security policies associated with interface have configured requirements for tunnel mode with configured addresses. Interfaces are designed for route based VPN, and when a packet is going to be send through if_ipsec interface, its "output" routine uses security policy associated with interface and with configured "reqid". If there are no SAs configured with given reqid, the IPsec code will send ACQUIRE message to IKE and it should install SAs, that will be used for IPsec transforms. When a host receives a packet, it handled by network stack, then by IPsec code and when reverse transform is finished, IPsec code checks, if packet was matched by tunnel mode SA it will be checked by if_ipsec input routine. If addresses and reqid from SA matched to if_ipsec configuration, it will be taken by if_ipsec interface. > What is supposed to happen here? Is the IKE daemon supposed to update > the policy once started. In my understanding IKE is only supposed to install SAs for if_ipsec. It can't change these policies, because they are immutable. I think for proper support of several if_ipsec interfaces racoon needs some patches. But I have not spare time to do this job. I recommend to use strongswan, it has active developers that are responsive and may give some help at least. There was the link with example, but it also uses only one interface: https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec --=20 WBR, Andrey V. Elsukov --ilGIHn5BgWENOorTeQ5TRZLoFwc6EV9PS-- --HAWhf2R19AREMOilE2Yw68DMUt4XLOWCw Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlrxq0sACgkQAcXqBBDI oXrD1Qf7BJqf9JYJZ5oou+62z1+K0kgbCnShA6lk/Wyzt700DRybjNuKgPcK9LL9 27nOtHwQUefRFWLBquS5AQa1QQzLr2Wtg+pigcKQJfdjdAlJOcc3/JVmCzwCxvoY D5IRJUZkAr1+e9ActAmGGwFRwh7viwwCgBvw/WLt7JZTyBNjlZw2esR41DIAXe/O ZH5fSXXpl51aMQVtUyP4Q9NqqSQMpT/7wMggwQ2CniUzn04uvHcVmmFIEXgLoi3p TbnfoxlmbsKUVDlxz4C4DIcynoyiImwo3xON/Rj5KrdQ4Jil8zTzciN0BrchzZiC CHk7z0EghJ9emybqIxytuMpoWxKdcg== =YBBO -----END PGP SIGNATURE----- --HAWhf2R19AREMOilE2Yw68DMUt4XLOWCw--