multiple if_ipsec

Wed May 9 07:21:51 UTC 2018

Andrey,

I was planning to move towards Strongswan anyway. The 1st step (with 1 interface worked great)

Julian,

The idea of having a jail as VPN end-point is going to help me transition step by step and possibly have both racoon and strongswan active.

Thx,

Peter

> On 9 May 2018, at 03:08, Julian Elischer <julian at freebsd.org> wrote:
> 
> On 8/5/18 9:51 pm, Andrey V. Elsukov wrote:
>> On 08.05.2018 14:03, peter.blok at bsd4all.org wrote:
>>> Hi Victor,
>>> 
>>> I’m struggling wit the same issue. My sainfo doesn’t match unless I
>>> use anonymous.
>>> 
>>> Hi Andrey,
>>> 
>>> What I don’t understand is why a “catchall” policy is added instead
>>> of the policy that matches the inner tunnel.
>> This is because the how IPsec works in BSD network stack.
>> 
>> In simple words - outbound traffic is matched by security policy,
>> inbound is matched by security association.
>> 
>> When a packet is going to be send from a host, the kernel checks
>> security policies for match. If it is matched, a packet goes into IPsec
>> processing. Then IPsec code using given security policy does lookup for
>> matched security association. And some IPsec transform happens.
>> 
>> When a host receives a packet, it handled by network stack first. And
>> if it has corresponding IPsec inner protocol (ESP, AH), it will be
>> handled by IPsec code. A packet has embedded SPI, it is used for
>> security association lookup. If corresponding SA is found, the IPsec
>> code will apply revers IPsec transform to the packet. Then the kernel
>> checks, that there is some security policy for that packet.
>> 
>> Now how if_ipsec(4) works. Security policies associated with interface
>> have configured requirements for tunnel mode with configured addresses.
>> Interfaces are designed for route based VPN, and when a packet is going
>> to be send through if_ipsec interface, its "output" routine uses
>> security policy associated with interface and with configured "reqid".
>> 
>> If there are no SAs configured with given reqid, the IPsec code will
>> send ACQUIRE message to IKE and it should install SAs, that will be used
>> for IPsec transforms.
>> 
>> When a host receives a packet, it handled by network stack, then by
>> IPsec code and when reverse transform is finished, IPsec code checks, if
>> packet was matched by tunnel mode SA it will be checked by if_ipsec
>> input routine. If addresses and reqid from SA matched to if_ipsec
>> configuration, it will be taken by if_ipsec interface.
>> 
>> 
>>> What is supposed to happen here? Is the IKE daemon supposed to update
>>> the policy once started.
>> In my understanding IKE is only supposed to install SAs for if_ipsec.
>> It can't change these policies, because they are immutable.
>> 
>> I think for proper support of several if_ipsec interfaces racoon needs
>> some patches. But I have not spare time to do this job.
>> I recommend to use strongswan, it has active developers that are
>> responsive and may give some help at least.
>> 
>> There was the link with example, but it also uses only one interface:
>> https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec
>> 
> my answer was to create a jail to act as the endpoint of each vpn using VIMAGE and then allow each jail to run its own raccoon.
> 
> 
> _______________________________________________
> freebsd-net at freebsd.org <mailto:freebsd-net at freebsd.org> mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net <https://lists.freebsd.org/mailman/listinfo/freebsd-net>
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org <mailto:freebsd-net-unsubscribe at freebsd.org>"