multiple if_ipsec

[Julian Elischer]

On 8/5/18 9:51 pm, Andrey V. Elsukov wrote:
> On 08.05.2018 14:03, peter.blok at bsd4all.org wrote:
>> Hi Victor,
>>
>> I’m struggling wit the same issue. My sainfo doesn’t match unless I
>> use anonymous.
>>
>> Hi Andrey,
>>
>> What I don’t understand is why a “catchall” policy is added instead
>> of the policy that matches the inner tunnel.
> This is because the how IPsec works in BSD network stack.
>
> In simple words - outbound traffic is matched by security policy,
> inbound is matched by security association.
>
> When a packet is going to be send from a host, the kernel checks
> security policies for match. If it is matched, a packet goes into IPsec
> processing. Then IPsec code using given security policy does lookup for
> matched security association. And some IPsec transform happens.
>
> When a host receives a packet, it handled by network stack first. And
> if it has corresponding IPsec inner protocol (ESP, AH), it will be
> handled by IPsec code. A packet has embedded SPI, it is used for
> security association lookup. If corresponding SA is found, the IPsec
> code will apply revers IPsec transform to the packet. Then the kernel
> checks, that there is some security policy for that packet.
>
> Now how if_ipsec(4) works. Security policies associated with interface
> have configured requirements for tunnel mode with configured addresses.
> Interfaces are designed for route based VPN, and when a packet is going
> to be send through if_ipsec interface, its "output" routine uses
> security policy associated with interface and with configured "reqid".
>
> If there are no SAs configured with given reqid, the IPsec code will
> send ACQUIRE message to IKE and it should install SAs, that will be used
> for IPsec transforms.
>
> When a host receives a packet, it handled by network stack, then by
> IPsec code and when reverse transform is finished, IPsec code checks, if
> packet was matched by tunnel mode SA it will be checked by if_ipsec
> input routine. If addresses and reqid from SA matched to if_ipsec
> configuration, it will be taken by if_ipsec interface.
>
>
>> What is supposed to happen here? Is the IKE daemon supposed to update
>> the policy once started.
> In my understanding IKE is only supposed to install SAs for if_ipsec.
> It can't change these policies, because they are immutable.
>
> I think for proper support of several if_ipsec interfaces racoon needs
> some patches. But I have not spare time to do this job.
> I recommend to use strongswan, it has active developers that are
> responsive and may give some help at least.
>
> There was the link with example, but it also uses only one interface:
> https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec
>
my answer was to create a jail to act as the endpoint of each vpn 
using VIMAGE and then allow each jail to run its own raccoon.