From owner-freebsd-stable@freebsd.org  Thu May  2 20:16:29 2019
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id EB74C15A054F
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Thu,  2 May 2019 20:16:28 +0000 (UTC)
 (envelope-from matpockuh@gmail.com)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 4C68670900
 for <freebsd-stable@freebsd.org>; Thu,  2 May 2019 20:16:28 +0000 (UTC)
 (envelope-from matpockuh@gmail.com)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 0928815A054E; Thu,  2 May 2019 20:16:28 +0000 (UTC)
Delivered-To: stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D7A5615A054D
 for <stable@mailman.ysv.freebsd.org>; Thu,  2 May 2019 20:16:27 +0000 (UTC)
 (envelope-from matpockuh@gmail.com)
Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com
 [IPv6:2607:f8b0:4864:20::332])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id C3AF0708FF
 for <stable@freebsd.org>; Thu,  2 May 2019 20:16:26 +0000 (UTC)
 (envelope-from matpockuh@gmail.com)
Received: by mail-ot1-x332.google.com with SMTP id o39so3311269ota.6
 for <stable@freebsd.org>; Thu, 02 May 2019 13:16:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to;
 bh=mDXMRu2Lbtj+JPx7xSho71Ak55vV7lJsFJWZwYjNGWM=;
 b=pjdaicCbXyE3tcPWYxmmjs1vvgzjXWpWcQKNgBDHv5T5YTYGp6ZSZY2ASOcsTrAdLu
 aW0MI/hpS9SbDoFAuWEW3wofkrNRAl/QsB5J3wUHss/Zr/JGU0l2qAQc+J9WWMp3A2lZ
 gKMNfTFlvNnLUiXLYA6dIXE2g7I9GWJUx8+pj7EC/sHbTLiPEY9F2qcSzIMuB/MNSmS5
 nycznSO5zs0rdwrdCQPRvCk+UaVmhZqrFEz4L3h6MOSoSB9PhAWJuNQs38fX05UgjLxi
 4zy2XmC/OIOf5tVTrIdmj/mt/m2hYZAUX8Pj0vP5k8UOKRDcgYCMETP+wTyD9aipQX27
 splw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=mDXMRu2Lbtj+JPx7xSho71Ak55vV7lJsFJWZwYjNGWM=;
 b=bN/xD+MTHbKDtwOZL1kPFvF/npiIQDLLxa9gXS/FRQYGQzQ2Va43sNktB8684zHwcH
 znvkUTN8c6h/VahEcCJ/gpY61dDKkUY3BIkvMSk9ggdD7eNwaSE4Y5gncoEjqIxTSFOE
 7OWb6jk0N7rTFt+fZNA0+Si6ozS0FLW4OISEAE4zf3wAKLAzw/bzjbH/t0TvFul5zRWh
 N9hIB/tEPRM+5wlGsBFuvv1bxUu0vk4qAKMCVOHm9gjoP+OCSXFMtLNCgs3cwn6gr1Rl
 A4HIaDfLtVUCAI6xAj/ekal+fBtTqReoXuYkO0HW+0eEkzV3vHSQM2bveGn77w8FF0yk
 nfEA==
X-Gm-Message-State: APjAAAWQWNZKQe5yNwlSvHkvXMQVK3kCrnxTtZqwmwQATZYbiT+rzsZI
 y155fXIaqFtyXqyHwGClTsHQhGudfKSWzRQxzV5Pp8i2
X-Google-Smtp-Source: APXvYqzmNRjUDOPwIf8JS9ocQq+dwm60VZY72Y8coKKPpKq4mXFGtCOgnRkGXGPwlVo4yxW/8xdCpLe/dS4cce4SIy8=
X-Received: by 2002:a05:6830:1251:: with SMTP id
 s17mr199709otp.186.1556828185401; 
 Thu, 02 May 2019 13:16:25 -0700 (PDT)
MIME-Version: 1.0
From: KOT MATPOCKuH <matpockuh@gmail.com>
Date: Thu, 2 May 2019 23:16:38 +0300
Message-ID: <CALmdT0Wdb+=LHvTaO9MU=MnQvQJEzKT9CXAf2kVPY=AAc=kxVQ@mail.gmail.com>
Subject: route based ipsec
To: stable@freebsd.org
X-Rspamd-Queue-Id: C3AF0708FF
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=pjdaicCb;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of matpockuh@gmail.com designates
 2607:f8b0:4864:20::332 as permitted sender) smtp.mailfrom=matpockuh@gmail.com
X-Spamd-Result: default: False [-5.69 / 15.00];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
 FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[];
 DKIM_TRACE(0.00)[gmail.com:+];
 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com];
 NEURAL_HAM_SHORT(-0.69)[-0.691,0]; FROM_EQ_ENVFROM(0.00)[];
 RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0];
 ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[stable@freebsd.org];
 RCPT_COUNT_ONE(0.00)[1];
 IP_SCORE(-2.99)[ip: (-9.46), ipnet: 2607:f8b0::/32(-3.20), asn: 15169(-2.25),
 country: US(-0.06)]; 
 RCVD_IN_DNSWL_NONE(0.00)[2.3.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
 : 127.0.5.0]; HTTP_TO_IP(1.00)[]; RCVD_COUNT_TWO(0.00)[2]
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2019 20:16:29 -0000

Hello!

I'm trying to make a full mesh vpn using route based ipsec between four
hosts under FreeBSD 12.
I'm used racoon from security/ipsec-tools (as it recommended in
https://www.freebsd.org/doc/handbook/ipsec.html)
Result looks work, but I got some problems:
0.The ipsec-tools port currently does not have a maintainer (C) portmaster
... Does this solution really supported? Or I should switch to use another
IKE daemon?

1. racoon was 3 times crashed with core dump (2 times on one host, 1 times
on another host):
(gdb) bt
#0  0x000000000024417f in isakmp_info_recv ()
#1  0x00000000002345f4 in isakmp_main ()
#2  0x00000000002307d0 in isakmp_handler ()
#3  0x000000000022f10d in session ()
#4  0x000000000022e62a in main ()

2. racoon generated 2 SA for each traffic direction (from hostA to hostB).
IMHO one SA for one each traffic direction should be enough.

3. ping and TCP taffic works over ipsec tunnels, but, for example, bird
can't establish OSPF neighborhood over some (!) ipsec tunnels.
I'm tried to watch traffic on ipsec tunnels and got some strange behavior.
For example, ping hostA from hostD:
> ping -c 2 192.168.31.9
PING 192.168.31.9 (192.168.31.9): 56 data bytes
64 bytes from 192.168.31.9: icmp_seq=0 ttl=64 time=1.334 ms
64 bytes from 192.168.31.9: icmp_seq=1 ttl=64 time=1.280 ms
tcpdump on this hostD:
# tcpdump -pni ipsec2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec2, link-type NULL (BSD loopback), capture size 262144
bytes
23:08:53.362318 IP 192.168.31.10 > 192.168.31.9: ICMP echo request, id
29396, seq 0, length 64
23:08:53.363604 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396,
seq 0, length 64
23:08:54.384518 IP 192.168.31.10 > 192.168.31.9: ICMP echo request, id
29396, seq 1, length 64
23:08:54.385731 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396,
seq
On second side:
# tcpdump -pni ipsec2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec2, link-type NULL (BSD loopback), capture size 262144
bytes
23:08:53.362196 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396,
seq 0, length 64
23:08:54.384441 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396,
seq 1, length 64

I think it's may be result of two SA's for each direction, and some traffic
can be passed to kernel using second SA, but can't be associated with
proper ipsecX interface.

What You can recommend to solve this problems?

PS. Not using IPSec on FreeBSD i as known, but wrong answer :)

-- 
MATPOCKuH