freebsd stable - May 2019 - route based ipsec

Hello!

??, 5 ??? 2019 ?. ? 13:50, Andrey V. Elsukov <bu7cher at yandex.ru>:

> > 0.The ipsec-tools port currently does not have a maintainer (C)
> portmaster
> > ... Does this solution really supported? Or I should switch to use
> another
> > IKE daemon?
> I think it is unmaintained in upstream too.
>
But why it still recommended in FreeBSD handbook?
> 1. racoon was 3 times crashed with core dump (2 times on one host, 1 times
> > on another host):
> > (gdb) bt
> > #0  0x000000000024417f in isakmp_info_recv ()
> > #1  0x00000000002345f4 in isakmp_main ()
> > #2  0x00000000002307d0 in isakmp_handler ()
> > #3  0x000000000022f10d in session ()
> > #4  0x000000000022e62a in main ()
> >
> > 2. racoon generated 2 SA for each traffic direction (from hostA to
> hostB).
> > IMHO one SA for one each traffic direction should be enough.
>
> Probably you have something wrong in your configuration.
>
I'm misunderstand what in my configuration can result core dumps a running
daemon...
I'm attached a sample racoon.conf. Can You check for possible problems?
Also on one host I got a crash in another function:
(gdb) bt
#0  0x000000000024717f in privsep_init ()
#1  0x00000000002375f4 in inscontacted ()
#2  0x00000000002337d0 in isakmp_plist_set_all ()
#3  0x000000000023210d in isakmp_ph2expire ()
#4  0x000000000023162a in isakmp_ph1delete ()
#5  0x000000000023110b in isakmp_ph2resend ()
#6  0x00000008002aa000 in ?? ()
#7  0x0000000000000000 in ?? ()



Note, that if_ipsec(4) interfaces has own security policies and you
need
> to check that racoon doesn't create additional policies. Also,
> if_ipsec(4) uses "reqid" parameter to distinguish IPsec SAs
between
> interfaces. I made a patch to add special parameter for racoon, so it is
> possible to use several if_ipsec(4) interfaces. I think it should be in
> port.
> https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html
>
This patch already applied to the ports tree.
But it's not enough in my case :(


> Also you can use strongswan, we use it for some time and have no problems.
>
Okey. Thanks You! I will try to use strongswan.

I'm tried to replace rsasig authentication with psk, but without luck.
I'm
against got two ipsec sa for each direction....

-- 
MATPOCKuH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: racoon.conf
Type: application/octet-stream
Size: 2490 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20190507/58633b2a/attachment.obj>

08.05.2019 3:23, KOT MATPOCKuH wrote:
> I'm misunderstand what in my configuration can result core dumps a
running
> daemon...
> I'm attached a sample racoon.conf. Can You check for possible problems?
> Also on one host I got a crash in another function:
> (gdb) bt
> #0  0x000000000024717f in privsep_init ()
> #1  0x00000000002375f4 in inscontacted ()
> #2  0x00000000002337d0 in isakmp_plist_set_all ()
> #3  0x000000000023210d in isakmp_ph2expire ()
> #4  0x000000000023162a in isakmp_ph1delete ()
> #5  0x000000000023110b in isakmp_ph2resend ()
> #6  0x00000008002aa000 in ?? ()
> #7  0x0000000000000000 in ?? ()
I guess configuration using certificates is not tested enough.
It works stable for me but I use psk only.

You need to fix code yourself or stop using racoon with certificates.