Re: route based ipsec
I have tried certificates in the past, but racoon never worked stable enough. Didn’t crash on me though. I have moved over to Strongswan and never regretted this move. Very stable. Peter > On 8 May 2019, at 03:29, Eugene Grosbein wrote: > > 08.05.2019 3:23, KOT MATPOCKuH wrote: > >> I'm misunderstand what in my configuration can result core dumps a running >> daemon... >> I'm attached a sample racoon.conf. Can You check for possible problems? >> Also on one host I got a crash in another function: >> (gdb) bt >> #0 0x0024717f in privsep_init () >> #1 0x002375f4 in inscontacted () >> #2 0x002337d0 in isakmp_plist_set_all () >> #3 0x0023210d in isakmp_ph2expire () >> #4 0x0023162a in isakmp_ph1delete () >> #5 0x0023110b in isakmp_ph2resend () >> #6 0x0008002aa000 in ?? () >> #7 0x in ?? () > > I guess configuration using certificates is not tested enough. > It works stable for me but I use psk only. > > You need to fix code yourself or stop using racoon with certificates. > > ___ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" smime.p7s Description: S/MIME cryptographic signature
Re: route based ipsec
08.05.2019 3:23, KOT MATPOCKuH wrote: > I'm misunderstand what in my configuration can result core dumps a running > daemon... > I'm attached a sample racoon.conf. Can You check for possible problems? > Also on one host I got a crash in another function: > (gdb) bt > #0 0x0024717f in privsep_init () > #1 0x002375f4 in inscontacted () > #2 0x002337d0 in isakmp_plist_set_all () > #3 0x0023210d in isakmp_ph2expire () > #4 0x0023162a in isakmp_ph1delete () > #5 0x0023110b in isakmp_ph2resend () > #6 0x0008002aa000 in ?? () > #7 0x in ?? () I guess configuration using certificates is not tested enough. It works stable for me but I use psk only. You need to fix code yourself or stop using racoon with certificates. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: route based ipsec
Hello! вс, 5 мая 2019 г. в 13:50, Andrey V. Elsukov : > > 0.The ipsec-tools port currently does not have a maintainer (C) > portmaster > > ... Does this solution really supported? Or I should switch to use > another > > IKE daemon? > I think it is unmaintained in upstream too. > But why it still recommended in FreeBSD handbook? > 1. racoon was 3 times crashed with core dump (2 times on one host, 1 times > > on another host): > > (gdb) bt > > #0 0x0024417f in isakmp_info_recv () > > #1 0x002345f4 in isakmp_main () > > #2 0x002307d0 in isakmp_handler () > > #3 0x0022f10d in session () > > #4 0x0022e62a in main () > > > > 2. racoon generated 2 SA for each traffic direction (from hostA to > hostB). > > IMHO one SA for one each traffic direction should be enough. > > Probably you have something wrong in your configuration. > I'm misunderstand what in my configuration can result core dumps a running daemon... I'm attached a sample racoon.conf. Can You check for possible problems? Also on one host I got a crash in another function: (gdb) bt #0 0x0024717f in privsep_init () #1 0x002375f4 in inscontacted () #2 0x002337d0 in isakmp_plist_set_all () #3 0x0023210d in isakmp_ph2expire () #4 0x0023162a in isakmp_ph1delete () #5 0x0023110b in isakmp_ph2resend () #6 0x0008002aa000 in ?? () #7 0x in ?? () Note, that if_ipsec(4) interfaces has own security policies and you need > to check that racoon doesn't create additional policies. Also, > if_ipsec(4) uses "reqid" parameter to distinguish IPsec SAs between > interfaces. I made a patch to add special parameter for racoon, so it is > possible to use several if_ipsec(4) interfaces. I think it should be in > port. > https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html > This patch already applied to the ports tree. But it's not enough in my case :( > Also you can use strongswan, we use it for some time and have no problems. > Okey. Thanks You! I will try to use strongswan. I'm tried to replace rsasig authentication with psk, but without luck. I'm against got two ipsec sa for each direction -- MATPOCKuH racoon.conf Description: Binary data ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: route based ipsec
On 02.05.2019 23:16, KOT MATPOCKuH wrote: > I'm trying to make a full mesh vpn using route based ipsec between four > hosts under FreeBSD 12. > I'm used racoon from security/ipsec-tools (as it recommended in > https://www.freebsd.org/doc/handbook/ipsec.html) > Result looks work, but I got some problems: > 0.The ipsec-tools port currently does not have a maintainer (C) portmaster > ... Does this solution really supported? Or I should switch to use another > IKE daemon? I think it is unmaintained in upstream too. > 1. racoon was 3 times crashed with core dump (2 times on one host, 1 times > on another host): > (gdb) bt > #0 0x0024417f in isakmp_info_recv () > #1 0x002345f4 in isakmp_main () > #2 0x002307d0 in isakmp_handler () > #3 0x0022f10d in session () > #4 0x0022e62a in main () > > 2. racoon generated 2 SA for each traffic direction (from hostA to hostB). > IMHO one SA for one each traffic direction should be enough. Probably you have something wrong in your configuration. Note, that if_ipsec(4) interfaces has own security policies and you need to check that racoon doesn't create additional policies. Also, if_ipsec(4) uses "reqid" parameter to distinguish IPsec SAs between interfaces. I made a patch to add special parameter for racoon, so it is possible to use several if_ipsec(4) interfaces. I think it should be in port. https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html Also you can use strongswan, we use it for some time and have no problems. > 3. ping and TCP taffic works over ipsec tunnels, but, for example, ... > I think it's may be result of two SA's for each direction, and some traffic > can be passed to kernel using second SA, but can't be associated with > proper ipsecX interface. Yes. Each SA has its SPI, that is used to encrypt/decrypt packets. if_ipsec(4) interface uses security policies with specific reqid, IKEd should install SAs with the same reqid, then packets that are going trough if_ipsec(4) interface can be correctly encrypted and decrypted. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: route based ipsec
Hello! сб, 4 мая 2019 г. в 21:01, Scott Aitken : > > On 5/2/2019 4:16 PM, KOT MATPOCKuH wrote: > > > 0.The ipsec-tools port currently does not have a maintainer (C) > portmaster > > > ... Does this solution really supported? Or I should switch to use > > > another IKE daemon? > > I've just started using IPSEC between a 12.0-RELEASE box, a 11.2-RELEASE-p9 > box and a Cisco IOS router. > What type of peers_identifier are You using? I'm using asn1dn... And today I got a coredump on 3rd host in: #0 0x0024717f in privsep_init () I haven't seen any core dumps or crashes. I run routing between these > devices (using RIPv2 rather than OSPF) - in order to do this you need to > create tunnels between the devices because encrypting routing protocols and > things that use multicast is tricky. I felt that that the handbook example > was lacking - it should have been encrypting the tunnel endpoints and NOT > the > LAN traffic on either side of the tunnel. > I used pointtomultipoint topology and hardcoded peer's IP addresses for OSPF. No multicast => no problems :) > Anyway I built IPENCAP (aka IPinIP) tunnels using gif interfaces and > configured racoon/ipsec-tools to build the SA/SADs using the tunnel > endpoints > and IP protocol 4 (IPENCAP). > I think my next step will be try to use gre tunnels over ipsec with psk authentication. If you want the configs let me know. > No, thanks You! :) -- MATPOCKuH ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: route based ipsec
> On 5/2/2019 4:16 PM, KOT MATPOCKuH wrote: > > 0.The ipsec-tools port currently does not have a maintainer (C) portmaster > > ... Does this solution really supported? Or I should switch to use > > another IKE daemon? I've just started using IPSEC between a 12.0-RELEASE box, a 11.2-RELEASE-p9 box and a Cisco IOS router. I haven't seen any core dumps or crashes. I run routing between these devices (using RIPv2 rather than OSPF) - in order to do this you need to create tunnels between the devices because encrypting routing protocols and things that use multicast is tricky. I felt that that the handbook example was lacking - it should have been encrypting the tunnel endpoints and NOT the LAN traffic on either side of the tunnel. Anyway I built IPENCAP (aka IPinIP) tunnels using gif interfaces and configured racoon/ipsec-tools to build the SA/SADs using the tunnel endpoints and IP protocol 4 (IPENCAP). Step 1 was to confirm I could PING over the gif tunnel without crytpo. Then I fired up racoon (setkey to create the SA and racoon for IPSEC). If you want the configs let me know. Scott ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: route based ipsec
On 5/2/2019 4:16 PM, KOT MATPOCKuH wrote: > 0.The ipsec-tools port currently does not have a maintainer (C) portmaster > ... Does this solution really supported? Or I should switch to use another > IKE daemon? Take a look at StrongSwan in the ports for your IKE daemon and google around for config examples / discussions. The bad news-- The ipsec docs really need updating. The good news, StrongSwan and IPSEC in RELENG_11 and 12 are really great and well maintained. Documentation is sadly not in one place. ---Mike --- Mike Tancsa, tel +1 519 651 3400 x203 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"