multiple if_ipsec
peter.blok at bsd4all.org
peter.blok at bsd4all.org
Sun May 13 12:25:29 UTC 2018
Hi,
I have mixed types of configurations. I’ll give it a run next week.
So far I have tried a tunnel with if_ipsec and strongswan at one end and gif and racoon at the other end. I have tried if_ipsec with strongswan on both ends.
I’ll start with recompiling racoon today and using it to see if it breaks any existing stuff.
Peter
> On 13 May 2018, at 13:59, Andrey V. Elsukov <bu7cher at yandex.ru> wrote:
>
> On 08.05.2018 16:51, Andrey V. Elsukov wrote:
>> I think for proper support of several if_ipsec interfaces racoon needs
>> some patches. But I have not spare time to do this job.
>> I recommend to use strongswan, it has active developers that are
>> responsive and may give some help at least.
>
> Hi,
>
> Today I hacked ipsec-tools a bit, and made the patch that adds support
> for multiple if_ipsec interfaces.
>
> https://people.freebsd.org/~ae/patch-reqid.diff
>
> You can put this patch into ipsec-tools/files/ directory and then
> rebuild the package. I'm not sure about compatibility with generic
> configurations, I tested only the case with two if_ipsec tunnels.
>
> What it does:
> * added new configuration option for sainfo section - "reqid NUM";
> * policy index was extended to contain reqid, so now racoon's security
> policies from multiple interfaces don't overlapped;
> * logging extended to print reqid in some places.
>
> How it is expected to be used:
>
> In racoon.conf you have several "remote IP-address {}" sections. Each
> section should have "ph1id NUM" option. This option is used to select
> corresponding "sainfo {}". You can have many "sainfo anonymous {}"
> sections with different "remoteid NUM", where NUM should match to "ph1id
> NUM". Also you need to add "reqid N" option to these sainfo sections.
> This reqid should match to value configured in if_ipsec interface.
>
> I.e. "ph1id NUM" and "remoteid NUM" are used to create relation between
> "sainfo" and "remote" sections. And "requid N" options is used to lookup
> corresponding SP in SPDB and install proper SA with needed reqid.
>
> The example based on your config:
>
> remote 10.9.8.2
> {
> exchange_mode main,aggressive;
> doi ipsec_doi;
> situation identity_only;
>
> my_identifier address 10.9.8.3;
> peers_identifier address 10.9.8.2;
> ph1id 10982;
>
> nonce_size 16;
> initial_contact on;
> proposal_check obey; # obey, strict, or claim
> passive off;
>
> proposal {
> encryption_algorithm 3des;
> hash_algorithm sha1;
> authentication_method pre_shared_key;
> dh_group 2;
> }
> }
>
> remote 10.9.8.6
> {
> exchange_mode main,aggressive;
> doi ipsec_doi;
> situation identity_only;
>
> my_identifier address 10.9.8.3;
> peers_identifier address 10.9.8.6;
> ph1id 10986;
>
> nonce_size 16;
> initial_contact on;
> proposal_check obey;
> passive off;
>
> proposal {
> encryption_algorithm aes;
> hash_algorithm sha256;
> authentication_method pre_shared_key;
> dh_group 2;
> }
> }
>
> sainfo anonymous
> {
> remoteid 10982;
> reqid 100;
> lifetime time 24 hour;
>
> pfs_group 2;
> encryption_algorithm 3des;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> }
>
> sainfo anonymous
> {
> remoteid 10986;
> reqid 200;
> lifetime time 24 hour;
>
> pfs_group 2;
> encryption_algorithm aes;
> authentication_algorithm hmac_sha256;
> compression_algorithm deflate;
> }
>
> sainfo anonymous
> {
> lifetime time 30 min;
>
> pfs_group 2;
> encryption_algorithm des;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate;
> }
>
> --
> WBR, Andrey V. Elsukov
>
More information about the freebsd-net
mailing list