[Bug 274469] if_ipsec cannot handle multiple connections from same reqid

Sat, 14 Oct 2023 12:57:39 -0700 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274469

            Bug ID: 274469
           Summary: if_ipsec cannot handle multiple connections from same
                    reqid
           Product: Base System
           Version: Unspecified
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: [email protected]
          Reporter: [email protected]

On Linux, strongswan can assign unique if_id for each incoming connection
belongs to same reqid (phase2) definition.

By the way, you can create xfrm interface for each incoming CHILD_SA using
up/down scripts.

But on FreeBSD, only reqid could be used for if_ipsec creation. It will be
perfect if it could support if_id. 

The problem On FreeBSD: All the incoming connections gets SAME reqid according
to the scenario and config given below. By the way, we need something like
if_id in Linux.

I tried setting reqid = 0 on swanctl.conf to assign it dynamically. But it
takes only one reqid value and all incoming connections use same reqid. So that
we cannot seperate interfaces from each other.

The usage scenario is explained below:
- Host A is responder, which accepts multiple roadwarriors from single
conn/child defination.
- Remote ID is defined as "*.local"
- Host B is initiator using Local ID "hostB.local"
- Host C is initiator using Local ID "hostC.local"
- There are too many initiators like this.
- updown script on Host A should create a new if_ipsec for each initiator.
- I want to create different if_ipsec interfaces for each remote host without
defining statically in swanctl.conf.
- It's possible in linux.

Example strongswan config for Host A:
responder {
  local_addrs = %any
  remote_addrs = %any
  pools = vip_pool
  local {
    id = responder.local
    auth = psk 
  }
  remote {
    id = *.local
    auth = psk 
  }
  children {
    phase2 {
      local_ts = 169.254.255.1
      remote_ts = 0.0.0.0/0
      updown = /scripts/updown.sh
      if_id_in = %unique
      if_id_out = %unique
      esp_proposals = aes128gcm8-prfmd5-modp1024
      mode = tunnel
    }   
  }
  version = 2 
  proposals = aes128gcm8-prfmd5-modp1024
}

---------------------------

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to