multiple if_ipsec

Wed May 16 18:15:11 UTC 2018

On 09/05/2018 10:06, peter.blok at bsd4all.org wrote:
> Andrey,
> 
> I was planning to move towards Strongswan anyway. The 1st step (with 1 
> interface worked great)
> 
> Julian,
> 
> The idea of having a jail as VPN end-point is going to help me 
> transition step by step and possibly have both racoon and strongswan active.
> 
> Thx,
> 
> Peter
> 
>> On 9 May 2018, at 03:08, Julian Elischer <julian at freebsd.org 
>> <mailto:julian at freebsd.org>> wrote:
>>
>> On 8/5/18 9:51 pm, Andrey V. Elsukov wrote:
>>> On 08.05.2018 14:03, peter.blok at bsd4all.org 
>>> <mailto:peter.blok at bsd4all.org> wrote:
>>>> Hi Victor,
>>>>
>>>> I’m struggling wit the same issue. My sainfo doesn’t match unless I
>>>> use anonymous.
>>>>
>>>> Hi Andrey,
>>>>
>>>> What I don’t understand is why a “catchall” policy is added instead
>>>> of the policy that matches the inner tunnel.
>>> This is because the how IPsec works in BSD network stack.
>>>
>>> In simple words - outbound traffic is matched by security policy,
>>> inbound is matched by security association.
>>>
>>> When a packet is going to be send from a host, the kernel checks
>>> security policies for match. If it is matched, a packet goes into IPsec
>>> processing. Then IPsec code using given security policy does lookup for
>>> matched security association. And some IPsec transform happens.
>>>
>>> When a host receives a packet, it handled by network stack first. And
>>> if it has corresponding IPsec inner protocol (ESP, AH), it will be
>>> handled by IPsec code. A packet has embedded SPI, it is used for
>>> security association lookup. If corresponding SA is found, the IPsec
>>> code will apply revers IPsec transform to the packet. Then the kernel
>>> checks, that there is some security policy for that packet.
>>>
>>> Now how if_ipsec(4) works. Security policies associated with interface
>>> have configured requirements for tunnel mode with configured addresses.
>>> Interfaces are designed for route based VPN, and when a packet is going
>>> to be send through if_ipsec interface, its "output" routine uses
>>> security policy associated with interface and with configured "reqid".
>>>
>>> If there are no SAs configured with given reqid, the IPsec code will
>>> send ACQUIRE message to IKE and it should install SAs, that will be used
>>> for IPsec transforms.
>>>
>>> When a host receives a packet, it handled by network stack, then by
>>> IPsec code and when reverse transform is finished, IPsec code checks, if
>>> packet was matched by tunnel mode SA it will be checked by if_ipsec
>>> input routine. If addresses and reqid from SA matched to if_ipsec
>>> configuration, it will be taken by if_ipsec interface.
>>>
>>>
>>>> What is supposed to happen here? Is the IKE daemon supposed to update
>>>> the policy once started.
>>> In my understanding IKE is only supposed to install SAs for if_ipsec.
>>> It can't change these policies, because they are immutable.
>>>
>>> I think for proper support of several if_ipsec interfaces racoon needs
>>> some patches. But I have not spare time to do this job.
>>> I recommend to use strongswan, it has active developers that are
>>> responsive and may give some help at least.
>>>
>>> There was the link with example, but it also uses only one interface:
>>> https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec
>>>
>> my answer was to create a jail to act as the endpoint of each vpn 
>> using VIMAGE and then allow each jail to run its own raccoon.

Hi All

I have FreeBSD-11.1-STABLE (r327786) + strongswan-5.6.2_1

Then IKEv1 configured and two ipsec interfaces connected to 
Cisco-routers works fine at first sight

You need both leftsubnet=0.0.0.0/0 and rightsubnet=0.0.0.0/0 configured 
at strongswan to protocols like OSPF works properly.

I'll try to do more tests later.

Thanks Andrey!

--
CU,
Victor Gamov