From owner-freebsd-net@freebsd.org Sun May 13 12:02:09 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6F05AFD848A for ; Sun, 13 May 2018 12:02:09 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward102j.mail.yandex.net (forward102j.mail.yandex.net [5.45.198.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D52CE6878D for ; Sun, 13 May 2018 12:02:08 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback9j.mail.yandex.net (mxback9j.mail.yandex.net [IPv6:2a02:6b8:0:1619::112]) by forward102j.mail.yandex.net (Yandex) with ESMTP id D75145602FC1; Sun, 13 May 2018 15:01:59 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback9j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id aA9chw2OvC-1xDOGd3q; Sun, 13 May 2018 15:01:59 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1526212919; bh=c1GTkM7IBZe76PKjsy8+X18pG1NDwZ6uu1Yso1VFd5s=; h=Subject:From:To:Cc:References:Message-ID:Date:In-Reply-To; b=dd64mEM/Mla+CKh/Q5YPYUEEUR7YlZxj8PeE6hgZniM4DmHWHQIssX8Z/zkjpzGdl DEt2muZPMdXaeKoWGUc4HFrtyaT+6+XuWIaI23jnYaTgfo0LUWv3TwETgs1ZtlVwpj AeBinbRPilKR61Gmn73OYSokpZWKJ0P/kpmO0PxI= Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id ZJUW01IxUl-1wKKXgfK; Sun, 13 May 2018 15:01:58 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1526212918; bh=c1GTkM7IBZe76PKjsy8+X18pG1NDwZ6uu1Yso1VFd5s=; h=Subject:From:To:Cc:References:Message-ID:Date:In-Reply-To; b=BEDzOselsk0Nvdo2jQaB3MiCattBSK1x12I0ZCV6SUMFPHp996UsOdH8YYlmbIApp tf3PUWH7KN/txAw516I4Gv2eHUTAczo152iJb9VN9SyQuLaG23MHkSpzJhfBMraJM+ ho4DCrVX9HjZdK9AhlAYi0gwYZEa7ZhQJGNEORWM= Authentication-Results: smtp3o.mail.yandex.net; dkim=pass header.i=@yandex.ru Subject: Re: multiple if_ipsec From: "Andrey V. Elsukov" To: peter.blok@bsd4all.org, Victor Gamov Cc: freebsd-net@freebsd.org, Eugene Grosbein References: <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru> <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru> <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru> <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru> Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata= xsBNBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB AAHNIkFuZHJleSBWLiBFbHN1a292IDxhZUBmcmVlYnNkLm9yZz7CwHsEEwECACUCGwMGCwkI BwMCBhUIAgkKCwQWAgMBAh4BAheABQJMB/ruAhkBAAoJEAHF6gQQyKF6MLwH/3Ri/TZl9uo0 SepYWXOnxL6EaDVXDA+dLb1eLKC4PRBBjX29ttQ0KaWapiE6y5/AfzOPmRtHLrHYHjd/aiHX GMLHcYRXD+5GvdkK8iMALrZ28X0JXyuuZa8rAxWIWmCbYHNSBy2unqWgTI04Erodk90IALgM 9JeHN9sFqTM6zalrMnTzlcmel4kcjT3lyYw3vOKgoYLtsLhKZSbJoVVVlvRlGBpHFJI5AoYJ SyfXoN0rcX6k9X7Isp2K50YjqxV4v78xluh1puhwZyC0p8IShPrmrp9Oy9JkMX90o6UAXdGU KfdExJuGJfUZOFBTtNIMNIAKfMTjhpRhxONIr0emxxDOwE0ETAEXWQEIAJ2p6l9LBoqdH/0J PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+ LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAcLAXwQYAQIACQUCTAEXWQIbDAAK CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i Message-ID: Date: Sun, 13 May 2018 14:59:13 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="fPrdsrToFyWPd5LVFUA9oLIClcw3wc2US" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 May 2018 12:02:09 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --fPrdsrToFyWPd5LVFUA9oLIClcw3wc2US Content-Type: multipart/mixed; boundary="PcFd7HxSbs1A64ycz5p0lxD5wt3yHDUkv"; protected-headers="v1" From: "Andrey V. Elsukov" To: peter.blok@bsd4all.org, Victor Gamov Cc: freebsd-net@freebsd.org, Eugene Grosbein Message-ID: Subject: Re: multiple if_ipsec References: <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru> <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru> <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru> <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru> In-Reply-To: --PcFd7HxSbs1A64ycz5p0lxD5wt3yHDUkv Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 08.05.2018 16:51, Andrey V. Elsukov wrote: > I think for proper support of several if_ipsec interfaces racoon needs > some patches. But I have not spare time to do this job. > I recommend to use strongswan, it has active developers that are > responsive and may give some help at least. Hi, Today I hacked ipsec-tools a bit, and made the patch that adds support for multiple if_ipsec interfaces. https://people.freebsd.org/~ae/patch-reqid.diff You can put this patch into ipsec-tools/files/ directory and then rebuild the package. I'm not sure about compatibility with generic configurations, I tested only the case with two if_ipsec tunnels. What it does: * added new configuration option for sainfo section - "reqid NUM"; * policy index was extended to contain reqid, so now racoon's security policies from multiple interfaces don't overlapped; * logging extended to print reqid in some places. How it is expected to be used: In racoon.conf you have several "remote IP-address {}" sections. Each section should have "ph1id NUM" option. This option is used to select corresponding "sainfo {}". You can have many "sainfo anonymous {}" sections with different "remoteid NUM", where NUM should match to "ph1id NUM". Also you need to add "reqid N" option to these sainfo sections. This reqid should match to value configured in if_ipsec interface. I.e. "ph1id NUM" and "remoteid NUM" are used to create relation between "sainfo" and "remote" sections. And "requid N" options is used to lookup corresponding SP in SPDB and install proper SA with needed reqid. The example based on your config: remote 10.9.8.2 { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address 10.9.8.3; peers_identifier address 10.9.8.2; ph1id 10982; nonce_size 16; initial_contact on; proposal_check obey; # obey, strict, or claim passive off; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } remote 10.9.8.6 { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address 10.9.8.3; peers_identifier address 10.9.8.6; ph1id 10986; nonce_size 16; initial_contact on; proposal_check obey; passive off; proposal { encryption_algorithm aes; hash_algorithm sha256; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { remoteid 10982; reqid 100; lifetime time 24 hour; pfs_group 2; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo anonymous { remoteid 10986; reqid 200; lifetime time 24 hour; pfs_group 2; encryption_algorithm aes; authentication_algorithm hmac_sha256; compression_algorithm deflate; } sainfo anonymous { lifetime time 30 min; pfs_group 2; encryption_algorithm des; authentication_algorithm hmac_md5; compression_algorithm deflate; } --=20 WBR, Andrey V. Elsukov --PcFd7HxSbs1A64ycz5p0lxD5wt3yHDUkv-- --fPrdsrToFyWPd5LVFUA9oLIClcw3wc2US Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlr4KJEACgkQAcXqBBDI oXqKIgf8D+qoT32kbmAfW/oRXBah6DhbynQl8WnBu0cqixP+FPSbnS3XwuhVFtAT 9O5ZpcnRzhE8UWsCH5P8CWKOQ76EAETiRpouc8VhiuS7lqbnUkD4qDT/5gaG1Xz5 fid8uJhC+7alCrrKqwL39uJQgcEXGIaW6LLse7s4jC3GRVlmAbKnkhdaGYc8Vign 09QlE/ujk6zi0vpOvwe3NKUg2kCgRsVwYQMvKA8e+33wuiQVs5j2CP5iYPMwwYjs INOs5k/USQbgepmZtwZcZFzRKJIs6q1OBz+LUfEflrFpEYP45HLaXKmryDkcgePm B8ZOIyreA9mRWvVDppSfEVkZBVTcQQ== =xMFI -----END PGP SIGNATURE----- --fPrdsrToFyWPd5LVFUA9oLIClcw3wc2US--