Hello! I'm trying to make a full mesh vpn using route based ipsec between four hosts under FreeBSD 12. I'm used racoon from security/ipsec-tools (as it recommended in https://www.freebsd.org/doc/handbook/ipsec.html) Result looks work, but I got some problems: 0.The ipsec-tools port currently does not have a maintainer (C) portmaster ... Does this solution really supported? Or I should switch to use another IKE daemon? 1. racoon was 3 times crashed with core dump (2 times on one host, 1 times on another host): (gdb) bt #0 0x000000000024417f in isakmp_info_recv () #1 0x00000000002345f4 in isakmp_main () #2 0x00000000002307d0 in isakmp_handler () #3 0x000000000022f10d in session () #4 0x000000000022e62a in main () 2. racoon generated 2 SA for each traffic direction (from hostA to hostB). IMHO one SA for one each traffic direction should be enough. 3. ping and TCP taffic works over ipsec tunnels, but, for example, bird can't establish OSPF neighborhood over some (!) ipsec tunnels. I'm tried to watch traffic on ipsec tunnels and got some strange behavior. For example, ping hostA from hostD:> ping -c 2 192.168.31.9PING 192.168.31.9 (192.168.31.9): 56 data bytes 64 bytes from 192.168.31.9: icmp_seq=0 ttl=64 time=1.334 ms 64 bytes from 192.168.31.9: icmp_seq=1 ttl=64 time=1.280 ms tcpdump on this hostD: # tcpdump -pni ipsec2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ipsec2, link-type NULL (BSD loopback), capture size 262144 bytes 23:08:53.362318 IP 192.168.31.10 > 192.168.31.9: ICMP echo request, id 29396, seq 0, length 64 23:08:53.363604 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396, seq 0, length 64 23:08:54.384518 IP 192.168.31.10 > 192.168.31.9: ICMP echo request, id 29396, seq 1, length 64 23:08:54.385731 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396, seq On second side: # tcpdump -pni ipsec2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ipsec2, link-type NULL (BSD loopback), capture size 262144 bytes 23:08:53.362196 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396, seq 0, length 64 23:08:54.384441 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396, seq 1, length 64 I think it's may be result of two SA's for each direction, and some traffic can be passed to kernel using second SA, but can't be associated with proper ipsecX interface. What You can recommend to solve this problems? PS. Not using IPSec on FreeBSD i as known, but wrong answer :) -- MATPOCKuH
On 5/2/2019 4:16 PM, KOT MATPOCKuH wrote:> 0.The ipsec-tools port currently does not have a maintainer (C) portmaster > ... Does this solution really supported? Or I should switch to use another > IKE daemon?Take a look at StrongSwan in the ports for your IKE daemon and google around for config examples / discussions. The bad news-- The ipsec docs really need updating. The good news, StrongSwan and IPSEC in RELENG_11 and 12 are really great and well maintained.? Documentation is sadly not in one place. ??? ---Mike ------------------- Mike Tancsa, tel +1 519 651 3400 x203 Sentex Communications, mike at sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada
On 02.05.2019 23:16, KOT MATPOCKuH wrote:> I'm trying to make a full mesh vpn using route based ipsec between four > hosts under FreeBSD 12. > I'm used racoon from security/ipsec-tools (as it recommended in > https://www.freebsd.org/doc/handbook/ipsec.html) > Result looks work, but I got some problems: > 0.The ipsec-tools port currently does not have a maintainer (C) portmaster > ... Does this solution really supported? Or I should switch to use another > IKE daemon?I think it is unmaintained in upstream too.> 1. racoon was 3 times crashed with core dump (2 times on one host, 1 times > on another host): > (gdb) bt > #0 0x000000000024417f in isakmp_info_recv () > #1 0x00000000002345f4 in isakmp_main () > #2 0x00000000002307d0 in isakmp_handler () > #3 0x000000000022f10d in session () > #4 0x000000000022e62a in main () > > 2. racoon generated 2 SA for each traffic direction (from hostA to hostB). > IMHO one SA for one each traffic direction should be enough.Probably you have something wrong in your configuration. Note, that if_ipsec(4) interfaces has own security policies and you need to check that racoon doesn't create additional policies. Also, if_ipsec(4) uses "reqid" parameter to distinguish IPsec SAs between interfaces. I made a patch to add special parameter for racoon, so it is possible to use several if_ipsec(4) interfaces. I think it should be in port. https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html Also you can use strongswan, we use it for some time and have no problems.> 3. ping and TCP taffic works over ipsec tunnels, but, for example,...> I think it's may be result of two SA's for each direction, and some traffic > can be passed to kernel using second SA, but can't be associated with > proper ipsecX interface.Yes. Each SA has its SPI, that is used to encrypt/decrypt packets. if_ipsec(4) interface uses security policies with specific reqid, IKEd should install SAs with the same reqid, then packets that are going trough if_ipsec(4) interface can be correctly encrypted and decrypted. -- WBR, Andrey V. Elsukov -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20190505/e0a6675f/attachment.sig>