On 02.05.2019 23:16, KOT MATPOCKuH wrote:> I'm trying to make a full mesh vpn using route based ipsec between four > hosts under FreeBSD 12. > I'm used racoon from security/ipsec-tools (as it recommended in > https://www.freebsd.org/doc/handbook/ipsec.html) > Result looks work, but I got some problems: > 0.The ipsec-tools port currently does not have a maintainer (C) portmaster > ... Does this solution really supported? Or I should switch to use another > IKE daemon?I think it is unmaintained in upstream too.> 1. racoon was 3 times crashed with core dump (2 times on one host, 1 times > on another host): > (gdb) bt > #0 0x000000000024417f in isakmp_info_recv () > #1 0x00000000002345f4 in isakmp_main () > #2 0x00000000002307d0 in isakmp_handler () > #3 0x000000000022f10d in session () > #4 0x000000000022e62a in main () > > 2. racoon generated 2 SA for each traffic direction (from hostA to hostB). > IMHO one SA for one each traffic direction should be enough.Probably you have something wrong in your configuration. Note, that if_ipsec(4) interfaces has own security policies and you need to check that racoon doesn't create additional policies. Also, if_ipsec(4) uses "reqid" parameter to distinguish IPsec SAs between interfaces. I made a patch to add special parameter for racoon, so it is possible to use several if_ipsec(4) interfaces. I think it should be in port. https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html Also you can use strongswan, we use it for some time and have no problems.> 3. ping and TCP taffic works over ipsec tunnels, but, for example,...> I think it's may be result of two SA's for each direction, and some traffic > can be passed to kernel using second SA, but can't be associated with > proper ipsecX interface.Yes. Each SA has its SPI, that is used to encrypt/decrypt packets. if_ipsec(4) interface uses security policies with specific reqid, IKEd should install SAs with the same reqid, then packets that are going trough if_ipsec(4) interface can be correctly encrypted and decrypted. -- WBR, Andrey V. Elsukov -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20190505/e0a6675f/attachment.sig>
Hello! ??, 5 ??? 2019 ?. ? 13:50, Andrey V. Elsukov <bu7cher at yandex.ru>:> > 0.The ipsec-tools port currently does not have a maintainer (C) > portmaster > > ... Does this solution really supported? Or I should switch to use > another > > IKE daemon? > I think it is unmaintained in upstream too. >But why it still recommended in FreeBSD handbook?> 1. racoon was 3 times crashed with core dump (2 times on one host, 1 times > > on another host): > > (gdb) bt > > #0 0x000000000024417f in isakmp_info_recv () > > #1 0x00000000002345f4 in isakmp_main () > > #2 0x00000000002307d0 in isakmp_handler () > > #3 0x000000000022f10d in session () > > #4 0x000000000022e62a in main () > > > > 2. racoon generated 2 SA for each traffic direction (from hostA to > hostB). > > IMHO one SA for one each traffic direction should be enough. > > Probably you have something wrong in your configuration. >I'm misunderstand what in my configuration can result core dumps a running daemon... I'm attached a sample racoon.conf. Can You check for possible problems? Also on one host I got a crash in another function: (gdb) bt #0 0x000000000024717f in privsep_init () #1 0x00000000002375f4 in inscontacted () #2 0x00000000002337d0 in isakmp_plist_set_all () #3 0x000000000023210d in isakmp_ph2expire () #4 0x000000000023162a in isakmp_ph1delete () #5 0x000000000023110b in isakmp_ph2resend () #6 0x00000008002aa000 in ?? () #7 0x0000000000000000 in ?? () Note, that if_ipsec(4) interfaces has own security policies and you need> to check that racoon doesn't create additional policies. Also, > if_ipsec(4) uses "reqid" parameter to distinguish IPsec SAs between > interfaces. I made a patch to add special parameter for racoon, so it is > possible to use several if_ipsec(4) interfaces. I think it should be in > port. > https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html >This patch already applied to the ports tree. But it's not enough in my case :(> Also you can use strongswan, we use it for some time and have no problems. >Okey. Thanks You! I will try to use strongswan. I'm tried to replace rsasig authentication with psk, but without luck. I'm against got two ipsec sa for each direction.... -- MATPOCKuH -------------- next part -------------- A non-text attachment was scrubbed... Name: racoon.conf Type: application/octet-stream Size: 2490 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20190507/58633b2a/attachment.obj>