From owner-freebsd-stable@freebsd.org Sat May 4 17:58:42 2019 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B78361594760 for ; Sat, 4 May 2019 17:58:42 +0000 (UTC) (envelope-from freebsd-lists-5@thismonkey.com) Received: from mail-01.thismonkey.com (mail-01.thismonkey.com [220.244.217.216]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "thismonkey.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 915296B2FE for ; Sat, 4 May 2019 17:58:35 +0000 (UTC) (envelope-from freebsd-lists-5@thismonkey.com) X-TM-Via-MX: mail-01.thismonkey.com Received: from utility-01.thismonkey.com ([IPv6:2600:70ff:c033:1:250:56ff:fe8a:4043]) by mail-01.thismonkey.com (8.15.2/8.15.2) with ESMTPS id x44HIRLI079843 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sun, 5 May 2019 03:18:29 +1000 (EST) (envelope-from freebsd-lists-5@thismonkey.com) Received: from utility-01.thismonkey.com (localhost [127.0.0.1]) by utility-01.thismonkey.com (8.15.2/8.15.2) with ESMTP id x44HIQCn053279 for ; Sun, 5 May 2019 03:18:27 +1000 (EST) (envelope-from freebsd-lists-5@thismonkey.com) Received: (from root@localhost) by utility-01.thismonkey.com (8.15.2/8.15.2/Submit) id x44HINGV053125 for freebsd-stable@freebsd.org; Sun, 5 May 2019 03:18:23 +1000 (EST) (envelope-from freebsd-lists-5@thismonkey.com) Date: Sun, 5 May 2019 03:18:22 +1000 From: Scott Aitken To: freebsd-stable@freebsd.org Subject: Re: route based ipsec Message-ID: <20190504171822.GA27671@thismonkey.com> Mail-Followup-To: freebsd-stable@freebsd.org References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.4 (2019-03-13) X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail-01.thismonkey.com X-Virus-Scanned: clamav-milter 0.101.1 at mail-01.thismonkey.com X-Virus-Status: Clean X-Greylist: inspected by milter-greylist-4.6.2 (mail-01.thismonkey.com [IPv6:2600:70ff:c033:2:250:56ff:fe8a:2eed]); Sun, 05 May 2019 03:18:43 +1000 (EST) for IP:'2600:70ff:c033:1:250:56ff:fe8a:4043' DOMAIN:'[IPv6:2600:70ff:c033:1:250:56ff:fe8a:4043]' HELO:'utility-01.thismonkey.com' FROM:'freebsd-lists-5@thismonkey.com' RCPT:'' SPF:' X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mail-01.thismonkey.com [IPv6:2600:70ff:c033:2:250:56ff:fe8a:2eed]); Sun, 05 May 2019 03:18:43 +1000 (EST) X-Rspamd-Queue-Id: 915296B2FE X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dmarc=pass (policy=none) header.from=thismonkey.com; spf=pass (mx1.freebsd.org: domain of freebsd-lists-5@thismonkey.com designates 220.244.217.216 as permitted sender) smtp.mailfrom=freebsd-lists-5@thismonkey.com X-Spamd-Result: default: False [-0.31 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; TO_DN_NONE(0.00)[]; NEURAL_SPAM_MEDIUM(0.29)[0.293,0]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.30)[-0.300,0]; RCVD_COUNT_THREE(0.00)[4]; RCVD_TLS_LAST(0.00)[]; MX_GOOD(-0.01)[mail-01.thismonkey.com,server-03.thismonkey.com]; DMARC_POLICY_ALLOW(-0.50)[thismonkey.com,none]; NEURAL_HAM_SHORT(-0.20)[-0.202,0]; IP_SCORE(0.71)[asn: 7545(3.57), country: AU(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:7545, ipnet:220.244.216.0/22, country:AU]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 May 2019 17:58:42 -0000 > On 5/2/2019 4:16 PM, KOT MATPOCKuH wrote: > > 0.The ipsec-tools port currently does not have a maintainer (C) portmaster > > ... Does this solution really supported? Or I should switch to use > > another IKE daemon? I've just started using IPSEC between a 12.0-RELEASE box, a 11.2-RELEASE-p9 box and a Cisco IOS router. I haven't seen any core dumps or crashes. I run routing between these devices (using RIPv2 rather than OSPF) - in order to do this you need to create tunnels between the devices because encrypting routing protocols and things that use multicast is tricky. I felt that that the handbook example was lacking - it should have been encrypting the tunnel endpoints and NOT the LAN traffic on either side of the tunnel. Anyway I built IPENCAP (aka IPinIP) tunnels using gif interfaces and configured racoon/ipsec-tools to build the SA/SADs using the tunnel endpoints and IP protocol 4 (IPENCAP). Step 1 was to confirm I could PING over the gif tunnel without crytpo. Then I fired up racoon (setkey to create the SA and racoon for IPSEC). If you want the configs let me know. Scott