Date: Thu, 2 May 2019 23:16:38 +0300 From: KOT MATPOCKuH <matpockuh@gmail.com> To: stable@freebsd.org Subject: route based ipsec Message-ID: <CALmdT0Wdb%2B=LHvTaO9MU=MnQvQJEzKT9CXAf2kVPY=AAc=kxVQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello! I'm trying to make a full mesh vpn using route based ipsec between four hosts under FreeBSD 12. I'm used racoon from security/ipsec-tools (as it recommended in https://www.freebsd.org/doc/handbook/ipsec.html) Result looks work, but I got some problems: 0.The ipsec-tools port currently does not have a maintainer (C) portmaster ... Does this solution really supported? Or I should switch to use another IKE daemon? 1. racoon was 3 times crashed with core dump (2 times on one host, 1 times on another host): (gdb) bt #0 0x000000000024417f in isakmp_info_recv () #1 0x00000000002345f4 in isakmp_main () #2 0x00000000002307d0 in isakmp_handler () #3 0x000000000022f10d in session () #4 0x000000000022e62a in main () 2. racoon generated 2 SA for each traffic direction (from hostA to hostB). IMHO one SA for one each traffic direction should be enough. 3. ping and TCP taffic works over ipsec tunnels, but, for example, bird can't establish OSPF neighborhood over some (!) ipsec tunnels. I'm tried to watch traffic on ipsec tunnels and got some strange behavior. For example, ping hostA from hostD: > ping -c 2 192.168.31.9 PING 192.168.31.9 (192.168.31.9): 56 data bytes 64 bytes from 192.168.31.9: icmp_seq=0 ttl=64 time=1.334 ms 64 bytes from 192.168.31.9: icmp_seq=1 ttl=64 time=1.280 ms tcpdump on this hostD: # tcpdump -pni ipsec2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ipsec2, link-type NULL (BSD loopback), capture size 262144 bytes 23:08:53.362318 IP 192.168.31.10 > 192.168.31.9: ICMP echo request, id 29396, seq 0, length 64 23:08:53.363604 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396, seq 0, length 64 23:08:54.384518 IP 192.168.31.10 > 192.168.31.9: ICMP echo request, id 29396, seq 1, length 64 23:08:54.385731 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396, seq On second side: # tcpdump -pni ipsec2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ipsec2, link-type NULL (BSD loopback), capture size 262144 bytes 23:08:53.362196 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396, seq 0, length 64 23:08:54.384441 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396, seq 1, length 64 I think it's may be result of two SA's for each direction, and some traffic can be passed to kernel using second SA, but can't be associated with proper ipsecX interface. What You can recommend to solve this problems? PS. Not using IPSec on FreeBSD i as known, but wrong answer :) -- MATPOCKuH
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALmdT0Wdb%2B=LHvTaO9MU=MnQvQJEzKT9CXAf2kVPY=AAc=kxVQ>