multiple if_ipsec

Tue May 8 13:53:53 UTC 2018

On 08.05.2018 14:03, peter.blok at bsd4all.org wrote:
> Hi Victor,
> 
> I’m struggling wit the same issue. My sainfo doesn’t match unless I
> use anonymous.
> 
> Hi Andrey,
> 
> What I don’t understand is why a “catchall” policy is added instead
> of the policy that matches the inner tunnel.

This is because the how IPsec works in BSD network stack.

In simple words - outbound traffic is matched by security policy,
inbound is matched by security association.

When a packet is going to be send from a host, the kernel checks
security policies for match. If it is matched, a packet goes into IPsec
processing. Then IPsec code using given security policy does lookup for
matched security association. And some IPsec transform happens.

When a host receives a packet, it handled by network stack first. And
if it has corresponding IPsec inner protocol (ESP, AH), it will be
handled by IPsec code. A packet has embedded SPI, it is used for
security association lookup. If corresponding SA is found, the IPsec
code will apply revers IPsec transform to the packet. Then the kernel
checks, that there is some security policy for that packet.

Now how if_ipsec(4) works. Security policies associated with interface
have configured requirements for tunnel mode with configured addresses.
Interfaces are designed for route based VPN, and when a packet is going
to be send through if_ipsec interface, its "output" routine uses
security policy associated with interface and with configured "reqid".

If there are no SAs configured with given reqid, the IPsec code will
send ACQUIRE message to IKE and it should install SAs, that will be used
for IPsec transforms.

When a host receives a packet, it handled by network stack, then by
IPsec code and when reverse transform is finished, IPsec code checks, if
packet was matched by tunnel mode SA it will be checked by if_ipsec
input routine. If addresses and reqid from SA matched to if_ipsec
configuration, it will be taken by if_ipsec interface.

> What is supposed to happen here? Is the IKE daemon supposed to update
> the policy once started.

In my understanding IKE is only supposed to install SAs for if_ipsec.
It can't change these policies, because they are immutable.

I think for proper support of several if_ipsec interfaces racoon needs
some patches. But I have not spare time to do this job.
I recommend to use strongswan, it has active developers that are
responsive and may give some help at least.

There was the link with example, but it also uses only one interface:
https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec

-- 
WBR, Andrey V. Elsukov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20180508/1632e894/attachment.sig>