On 8/5/18 9:51 pm, Andrey V. Elsukov wrote:
On 08.05.2018 14:03, peter.b...@bsd4all.org wrote:
Hi Victor,
I’m struggling wit the same issue. My sainfo doesn’t match unless I
use anonymous.
Hi Andrey,
What I don’t understand is why a “catchall” policy is added instead
of the policy that matches the inner tunnel.
This is because the how IPsec works in BSD network stack.
In simple words - outbound traffic is matched by security policy,
inbound is matched by security association.
When a packet is going to be send from a host, the kernel checks
security policies for match. If it is matched, a packet goes into IPsec
processing. Then IPsec code using given security policy does lookup for
matched security association. And some IPsec transform happens.
When a host receives a packet, it handled by network stack first. And
if it has corresponding IPsec inner protocol (ESP, AH), it will be
handled by IPsec code. A packet has embedded SPI, it is used for
security association lookup. If corresponding SA is found, the IPsec
code will apply revers IPsec transform to the packet. Then the kernel
checks, that there is some security policy for that packet.
Now how if_ipsec(4) works. Security policies associated with interface
have configured requirements for tunnel mode with configured addresses.
Interfaces are designed for route based VPN, and when a packet is going
to be send through if_ipsec interface, its "output" routine uses
security policy associated with interface and with configured "reqid".
If there are no SAs configured with given reqid, the IPsec code will
send ACQUIRE message to IKE and it should install SAs, that will be used
for IPsec transforms.
When a host receives a packet, it handled by network stack, then by
IPsec code and when reverse transform is finished, IPsec code checks, if
packet was matched by tunnel mode SA it will be checked by if_ipsec
input routine. If addresses and reqid from SA matched to if_ipsec
configuration, it will be taken by if_ipsec interface.
What is supposed to happen here? Is the IKE daemon supposed to update
the policy once started.
In my understanding IKE is only supposed to install SAs for if_ipsec.
It can't change these policies, because they are immutable.
I think for proper support of several if_ipsec interfaces racoon needs
some patches. But I have not spare time to do this job.
I recommend to use strongswan, it has active developers that are
responsive and may give some help at least.
There was the link with example, but it also uses only one interface:
https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec
my answer was to create a jail to act as the endpoint of each vpn
using VIMAGE and then allow each jail to run its own raccoon.
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
