route based ipsec
KOT MATPOCKuH
matpockuh at gmail.com
Thu May 2 20:16:29 UTC 2019
Hello!
I'm trying to make a full mesh vpn using route based ipsec between four
hosts under FreeBSD 12.
I'm used racoon from security/ipsec-tools (as it recommended in
https://www.freebsd.org/doc/handbook/ipsec.html)
Result looks work, but I got some problems:
0.The ipsec-tools port currently does not have a maintainer (C) portmaster
... Does this solution really supported? Or I should switch to use another
IKE daemon?
1. racoon was 3 times crashed with core dump (2 times on one host, 1 times
on another host):
(gdb) bt
#0 0x000000000024417f in isakmp_info_recv ()
#1 0x00000000002345f4 in isakmp_main ()
#2 0x00000000002307d0 in isakmp_handler ()
#3 0x000000000022f10d in session ()
#4 0x000000000022e62a in main ()
2. racoon generated 2 SA for each traffic direction (from hostA to hostB).
IMHO one SA for one each traffic direction should be enough.
3. ping and TCP taffic works over ipsec tunnels, but, for example, bird
can't establish OSPF neighborhood over some (!) ipsec tunnels.
I'm tried to watch traffic on ipsec tunnels and got some strange behavior.
For example, ping hostA from hostD:
> ping -c 2 192.168.31.9
PING 192.168.31.9 (192.168.31.9): 56 data bytes
64 bytes from 192.168.31.9: icmp_seq=0 ttl=64 time=1.334 ms
64 bytes from 192.168.31.9: icmp_seq=1 ttl=64 time=1.280 ms
tcpdump on this hostD:
# tcpdump -pni ipsec2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec2, link-type NULL (BSD loopback), capture size 262144
bytes
23:08:53.362318 IP 192.168.31.10 > 192.168.31.9: ICMP echo request, id
29396, seq 0, length 64
23:08:53.363604 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396,
seq 0, length 64
23:08:54.384518 IP 192.168.31.10 > 192.168.31.9: ICMP echo request, id
29396, seq 1, length 64
23:08:54.385731 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396,
seq
On second side:
# tcpdump -pni ipsec2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec2, link-type NULL (BSD loopback), capture size 262144
bytes
23:08:53.362196 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396,
seq 0, length 64
23:08:54.384441 IP 192.168.31.9 > 192.168.31.10: ICMP echo reply, id 29396,
seq 1, length 64
I think it's may be result of two SA's for each direction, and some traffic
can be passed to kernel using second SA, but can't be associated with
proper ipsecX interface.
What You can recommend to solve this problems?
PS. Not using IPSec on FreeBSD i as known, but wrong answer :)
--
MATPOCKuH
More information about the freebsd-stable
mailing list