Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 5 May 2019 00:33:42 +0300
From:      KOT MATPOCKuH <matpockuh@gmail.com>
To:        freebsd-stable@freebsd.org
Subject:   Re: route based ipsec
Message-ID:  <CALmdT0Xtg6pz7WoZsLBv1V2Q2jfwz89CgHYGgeMAGO%2Bi=tTuHQ@mail.gmail.com>
In-Reply-To: <20190504171822.GA27671@thismonkey.com>
References:  <mailman.11.1556971200.11143.freebsd-stable@freebsd.org> <20190504171822.GA27671@thismonkey.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello!

=D1=81=D0=B1, 4 =D0=BC=D0=B0=D1=8F 2019 =D0=B3. =D0=B2 21:01, Scott Aitken =
<freebsd-lists-5@thismonkey.com>:

> > On 5/2/2019 4:16 PM, KOT MATPOCKuH wrote:
> > > 0.The ipsec-tools port currently does not have a maintainer (C)
> portmaster
> > > ... Does this solution really supported? Or I should switch to use
> > > another IKE daemon?
>
> I've just started using IPSEC between a 12.0-RELEASE box, a 11.2-RELEASE-=
p9
> box and a Cisco IOS router.
>
What type of peers_identifier are You using?
I'm using asn1dn...
And today I got a coredump on 3rd host in:
#0  0x000000000024717f in privsep_init ()

I haven't seen any core dumps or crashes.  I run routing between these
> devices (using RIPv2 rather than OSPF) - in order to do this you need to
> create tunnels between the devices because encrypting routing protocols a=
nd
> things that use multicast is tricky.  I felt that that the handbook examp=
le
> was lacking - it should have been encrypting the tunnel endpoints and NOT
> the
> LAN traffic on either side of the tunnel.
>
I used pointtomultipoint topology and hardcoded peer's IP addresses for
OSPF.
No multicast =3D> no problems :)


> Anyway I built IPENCAP (aka IPinIP) tunnels using gif interfaces and
> configured racoon/ipsec-tools to build the SA/SADs using the tunnel
> endpoints
> and IP protocol 4 (IPENCAP).
>
I think my next step will be try to use gre tunnels over ipsec with psk
authentication.

If you want the configs let me know.
>
No, thanks You! :)

--=20
MATPOCKuH

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALmdT0Xtg6pz7WoZsLBv1V2Q2jfwz89CgHYGgeMAGO%2Bi=tTuHQ>