On 02.05.2019 23:16, KOT MATPOCKuH wrote: > I'm trying to make a full mesh vpn using route based ipsec between four > hosts under FreeBSD 12. > I'm used racoon from security/ipsec-tools (as it recommended in > https://www.freebsd.org/doc/handbook/ipsec.html) > Result looks work, but I got some problems: > 0.The ipsec-tools port currently does not have a maintainer (C) portmaster > ... Does this solution really supported? Or I should switch to use another > IKE daemon?
I think it is unmaintained in upstream too. > 1. racoon was 3 times crashed with core dump (2 times on one host, 1 times > on another host): > (gdb) bt > #0 0x000000000024417f in isakmp_info_recv () > #1 0x00000000002345f4 in isakmp_main () > #2 0x00000000002307d0 in isakmp_handler () > #3 0x000000000022f10d in session () > #4 0x000000000022e62a in main () > > 2. racoon generated 2 SA for each traffic direction (from hostA to hostB). > IMHO one SA for one each traffic direction should be enough. Probably you have something wrong in your configuration. Note, that if_ipsec(4) interfaces has own security policies and you need to check that racoon doesn't create additional policies. Also, if_ipsec(4) uses "reqid" parameter to distinguish IPsec SAs between interfaces. I made a patch to add special parameter for racoon, so it is possible to use several if_ipsec(4) interfaces. I think it should be in port. https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html Also you can use strongswan, we use it for some time and have no problems. > 3. ping and TCP taffic works over ipsec tunnels, but, for example, ... > I think it's may be result of two SA's for each direction, and some traffic > can be passed to kernel using second SA, but can't be associated with > proper ipsecX interface. Yes. Each SA has its SPI, that is used to encrypt/decrypt packets. if_ipsec(4) interface uses security policies with specific reqid, IKEd should install SAs with the same reqid, then packets that are going trough if_ipsec(4) interface can be correctly encrypted and decrypted. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
