multiple if_ipsec
Andrey V. Elsukov
bu7cher at yandex.ru
Sun May 13 12:02:09 UTC 2018
On 08.05.2018 16:51, Andrey V. Elsukov wrote:
> I think for proper support of several if_ipsec interfaces racoon needs
> some patches. But I have not spare time to do this job.
> I recommend to use strongswan, it has active developers that are
> responsive and may give some help at least.
Hi,
Today I hacked ipsec-tools a bit, and made the patch that adds support
for multiple if_ipsec interfaces.
https://people.freebsd.org/~ae/patch-reqid.diff
You can put this patch into ipsec-tools/files/ directory and then
rebuild the package. I'm not sure about compatibility with generic
configurations, I tested only the case with two if_ipsec tunnels.
What it does:
* added new configuration option for sainfo section - "reqid NUM";
* policy index was extended to contain reqid, so now racoon's security
policies from multiple interfaces don't overlapped;
* logging extended to print reqid in some places.
How it is expected to be used:
In racoon.conf you have several "remote IP-address {}" sections. Each
section should have "ph1id NUM" option. This option is used to select
corresponding "sainfo {}". You can have many "sainfo anonymous {}"
sections with different "remoteid NUM", where NUM should match to "ph1id
NUM". Also you need to add "reqid N" option to these sainfo sections.
This reqid should match to value configured in if_ipsec interface.
I.e. "ph1id NUM" and "remoteid NUM" are used to create relation between
"sainfo" and "remote" sections. And "requid N" options is used to lookup
corresponding SP in SPDB and install proper SA with needed reqid.
The example based on your config:
remote 10.9.8.2
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 10.9.8.3;
peers_identifier address 10.9.8.2;
ph1id 10982;
nonce_size 16;
initial_contact on;
proposal_check obey; # obey, strict, or claim
passive off;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
remote 10.9.8.6
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 10.9.8.3;
peers_identifier address 10.9.8.6;
ph1id 10986;
nonce_size 16;
initial_contact on;
proposal_check obey;
passive off;
proposal {
encryption_algorithm aes;
hash_algorithm sha256;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
remoteid 10982;
reqid 100;
lifetime time 24 hour;
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo anonymous
{
remoteid 10986;
reqid 200;
lifetime time 24 hour;
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha256;
compression_algorithm deflate;
}
sainfo anonymous
{
lifetime time 30 min;
pfs_group 2;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20180513/f444085d/attachment.sig>
More information about the freebsd-net
mailing list