Date: Tue, 7 May 2019 23:23:22 +0300 From: KOT MATPOCKuH <matpockuh@gmail.com> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: stable@freebsd.org Subject: Re: route based ipsec Message-ID: <CALmdT0W6f_X-V6UadxwYpsfbr0m34xANRGN5qWhs-7KMvCyA6A@mail.gmail.com> In-Reply-To: <a7d8c37c-8712-ded6-4c30-d473bf20f877@yandex.ru> References: <CALmdT0Wdb%2B=LHvTaO9MU=MnQvQJEzKT9CXAf2kVPY=AAc=kxVQ@mail.gmail.com> <a7d8c37c-8712-ded6-4c30-d473bf20f877@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hello! вс, 5 мая 2019 г. в 13:50, Andrey V. Elsukov <bu7cher@yandex.ru>: > > 0.The ipsec-tools port currently does not have a maintainer (C) > portmaster > > ... Does this solution really supported? Or I should switch to use > another > > IKE daemon? > I think it is unmaintained in upstream too. > But why it still recommended in FreeBSD handbook? > 1. racoon was 3 times crashed with core dump (2 times on one host, 1 times > > on another host): > > (gdb) bt > > #0 0x000000000024417f in isakmp_info_recv () > > #1 0x00000000002345f4 in isakmp_main () > > #2 0x00000000002307d0 in isakmp_handler () > > #3 0x000000000022f10d in session () > > #4 0x000000000022e62a in main () > > > > 2. racoon generated 2 SA for each traffic direction (from hostA to > hostB). > > IMHO one SA for one each traffic direction should be enough. > > Probably you have something wrong in your configuration. > I'm misunderstand what in my configuration can result core dumps a running daemon... I'm attached a sample racoon.conf. Can You check for possible problems? Also on one host I got a crash in another function: (gdb) bt #0 0x000000000024717f in privsep_init () #1 0x00000000002375f4 in inscontacted () #2 0x00000000002337d0 in isakmp_plist_set_all () #3 0x000000000023210d in isakmp_ph2expire () #4 0x000000000023162a in isakmp_ph1delete () #5 0x000000000023110b in isakmp_ph2resend () #6 0x00000008002aa000 in ?? () #7 0x0000000000000000 in ?? () Note, that if_ipsec(4) interfaces has own security policies and you need > to check that racoon doesn't create additional policies. Also, > if_ipsec(4) uses "reqid" parameter to distinguish IPsec SAs between > interfaces. I made a patch to add special parameter for racoon, so it is > possible to use several if_ipsec(4) interfaces. I think it should be in > port. > https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html > This patch already applied to the ports tree. But it's not enough in my case :( > Also you can use strongswan, we use it for some time and have no problems. > Okey. Thanks You! I will try to use strongswan. I'm tried to replace rsasig authentication with psk, but without luck. I'm against got two ipsec sa for each direction.... -- MATPOCKuH [-- Attachment #2 --] path certificate "/etc/ssl/new"; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". #log debug; # "padding" defines some padding parameters. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp aaa.bbb.ccc.ddd [500]; } # Specify various default timers. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per send. # maximum time to wait for completing each phase. phase1 30 sec; phase2 15 sec; } remote aaa.bbb.ccc.ddd [500] { exchange_mode main; doi ipsec_doi; my_identifier asn1dn; peers_identifier asn1dn; verify_identifier on; certificate_type x509 "host1.ru.crt" "host1.ru.key"; ca_type x509 "ca.crt"; dpd_delay 10; lifetime time 12 hour; # sec,min,hour passive off; proposal_check strict; # obey, strict, or claim nat_traversal off; proposal { encryption_algorithm aes 256; hash_algorithm sha256; authentication_method rsasig; lifetime time 30 sec; dh_group 16; } } remote aaa.bbb.ccc.ddd [500] { exchange_mode main; doi ipsec_doi; my_identifier asn1dn; peers_identifier asn1dn; verify_identifier on; certificate_type x509 "host1.ru.crt" "host1.ru.key"; ca_type x509 "ca.crt"; dpd_delay 10; lifetime time 12 hour; # sec,min,hour passive off; proposal_check strict; # obey, strict, or claim nat_traversal off; proposal { encryption_algorithm aes 256; hash_algorithm sha256; authentication_method rsasig; lifetime time 30 sec; dh_group 16; } } remote aaa.bbb.ccc.ddd [500] { exchange_mode main; doi ipsec_doi; my_identifier asn1dn; peers_identifier asn1dn; verify_identifier on; certificate_type x509 "host1.ru.crt" "host1.ru.key"; ca_type x509 "ca.crt"; dpd_delay 10; lifetime time 12 hour; # sec,min,hour passive off; proposal_check strict; # obey, strict, or claim nat_traversal off; proposal { encryption_algorithm aes 256; hash_algorithm sha256; authentication_method rsasig; lifetime time 30 sec; dh_group 16; } } sainfo anonymous { pfs_group 16; lifetime time 12 hour; encryption_algorithm aes 256; authentication_algorithm hmac_sha256; compression_algorithm deflate; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALmdT0W6f_X-V6UadxwYpsfbr0m34xANRGN5qWhs-7KMvCyA6A>