route based ipsec

KOT MATPOCKuH matpockuh at gmail.com
Tue May 7 20:23:09 UTC 2019 

Hello!

вс, 5 мая 2019 г. в 13:50, Andrey V. Elsukov <bu7cher at yandex.ru>:


> > 0.The ipsec-tools port currently does not have a maintainer (C)
> portmaster
> > ... Does this solution really supported? Or I should switch to use
> another
> > IKE daemon?
> I think it is unmaintained in upstream too.
>
But why it still recommended in FreeBSD handbook?

> 1. racoon was 3 times crashed with core dump (2 times on one host, 1 times
> > on another host):
> > (gdb) bt
> > #0  0x000000000024417f in isakmp_info_recv ()
> > #1  0x00000000002345f4 in isakmp_main ()
> > #2  0x00000000002307d0 in isakmp_handler ()
> > #3  0x000000000022f10d in session ()
> > #4  0x000000000022e62a in main ()
> >
> > 2. racoon generated 2 SA for each traffic direction (from hostA to
> hostB).
> > IMHO one SA for one each traffic direction should be enough.
>
> Probably you have something wrong in your configuration.
>
I'm misunderstand what in my configuration can result core dumps a running
daemon...
I'm attached a sample racoon.conf. Can You check for possible problems?
Also on one host I got a crash in another function:
(gdb) bt
#0  0x000000000024717f in privsep_init ()
#1  0x00000000002375f4 in inscontacted ()
#2  0x00000000002337d0 in isakmp_plist_set_all ()
#3  0x000000000023210d in isakmp_ph2expire ()
#4  0x000000000023162a in isakmp_ph1delete ()
#5  0x000000000023110b in isakmp_ph2resend ()
#6  0x00000008002aa000 in ?? ()
#7  0x0000000000000000 in ?? ()



Note, that if_ipsec(4) interfaces has own security policies and you need
> to check that racoon doesn't create additional policies. Also,
> if_ipsec(4) uses "reqid" parameter to distinguish IPsec SAs between
> interfaces. I made a patch to add special parameter for racoon, so it is
> possible to use several if_ipsec(4) interfaces. I think it should be in
> port.
> https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html
>
This patch already applied to the ports tree.
But it's not enough in my case :(



> Also you can use strongswan, we use it for some time and have no problems.
>
Okey. Thanks You! I will try to use strongswan.

I'm tried to replace rsasig authentication with psk, but without luck. I'm
against got two ipsec sa for each direction....

-- 
MATPOCKuH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: racoon.conf
Type: application/octet-stream
Size: 2490 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20190507/58633b2a/attachment.obj>

More information about the freebsd-stable mailing list