Re: [RFC/RFT] projects/ipsec

[Andrey V. Elsukov]

On 06.02.2017 16:27, peter.b...@bsd4all.org wrote:

Andrey,

Is this going to MFC'ed to stable-11 in the future? I have tested
with current and found no issues, but I would like to add it to a
semi-production environment running stable-11



Hi,

I thought to make MFC after a month or two, but I didn't seen any 
information when 11.1-RELEASE is planned. So, I don't know when feature 
freeze begins. Also there are some changes that can be considered as 
POLA violation, especially the single name space for SPI can affect some 
users.


--
WBR, Andrey V. Elsukov
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [RFC/RFT] projects/ipsec

[peter . blok]

Andrey,

Is this going to MFC'ed to stable-11 in the future? I have tested with current 
and found no issues, but I would like to add it to a semi-production 
environment running stable-11

Peter


> On 6 Feb 2017, at 10:07, Andrey V. Elsukov  wrote:
> 
> On 11.12.2016 02:07, Andrey V. Elsukov wrote:
>> I am pleased to announce that projects/ipsec, that I started several
>> months ago is ready for testing and review.
>> The main goals were:
>>  * rework locking to make IPsec code more friendly for concurrent
>>processing;
>>  * make lookup in SADB/SPDB faster;
>>  * revise PFKEY implementation, remove stale code, make it closer
>>to RFC;
>>  * implement IPsec VTI (virtual tunneling interface);
>>  * make IPsec code loadable as kernel module.
> 
> JFYI, the project was merged into head/ in r313330.
> 
> -- 
> WBR, Andrey V. Elsukov
> ___
> freebsd-...@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [RFC/RFT] projects/ipsec

[Andrey V. Elsukov]

On 11.12.2016 02:07, Andrey V. Elsukov wrote:

I am pleased to announce that projects/ipsec, that I started several
months ago is ready for testing and review.
The main goals were:
  * rework locking to make IPsec code more friendly for concurrent
processing;
  * make lookup in SADB/SPDB faster;
  * revise PFKEY implementation, remove stale code, make it closer
to RFC;
  * implement IPsec VTI (virtual tunneling interface);
  * make IPsec code loadable as kernel module.


JFYI, the project was merged into head/ in r313330.

--
WBR, Andrey V. Elsukov
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [RFC/RFT] projects/ipsec

[Alexandr Krivulya]

11.12.2016 01:07, Andrey V. Elsukov пишет:

Hi All,

I am pleased to announce that projects/ipsec, that I started several
months ago is ready for testing and review.
The main goals were:
   * rework locking to make IPsec code more friendly for concurrent
 processing;
   * make lookup in SADB/SPDB faster;
   * revise PFKEY implementation, remove stale code, make it closer
 to RFC;
   * implement IPsec VTI (virtual tunneling interface);
   * make IPsec code loadable as kernel module.

Currently all, except the last one is mostly done. So, I decided ask for
a help to test the what already done, while I will work on the last task.

How to try? There are no patches, you need to checkout the full
projects/ipsec source tree, and build the kernel and the base system.
There are very few changes in the base system, mostly the kernel
changes. Thus for testing that old configuration is still work, it is
enough to build only the kernel.

The approximate list of changes that may be visible to users:
* SA bundles now can have only 4 items in the chain. I think it is
enough, I can't imagine configurations when needed more. Also now SA
bundles supported for IPv6 too.
* due to changes in SPDB/SADB, systems where large number of SPs and SAs
are in use should get significant performance benefits.
* the memory consumption should slightly increase. There are several
hash tables and SP cache appeared.
* INPCB SP cache should noticeable increase network performance of
application when security policies are presence.
   https://lists.freebsd.org/pipermail/freebsd-net/2015-April/042121.html
* use transport mode IPsec for forwarded IPv4 packets now unsupported.
This matches the IPv6 behavior, and since we can handle the replies, I
think it is useless.
* Added net.inet.ipsec.check_policy_history sysctl variable. When it is
set, each inbound packet that was handled by IPsec will be checked
according to matching security policy. If not all IPsec transforms were
applied, the check will fail, and packet will be dropped.
* Many PF_KEY messages handlers was updated, probably some IKEd now may
fail due to stricter checks.
* SPI now unique for each SA. This also can break something.
* Added if_ipsec interface. For more info look at
   https://svnweb.freebsd.org/base?view=revision&revision=309115
   https://reviews.freebsd.org/P112
* TCP_SIGNATURE code was reworked and now it behaves closer to RFC
   https://svnweb.freebsd.org/base?view=revision&revision=309610
* NAT-T support was reworked.
   https://svnweb.freebsd.org/base?view=revision&revision=309808
Also I made the patch to racoon that adds better support of NAT-T,
you can use this port to build patched racoon:
   https://people.freebsd.org/~ae/ipsec-tools.tgz

What results is interesting to me?
If you have some nontrivial configuration, please test.
If you have some configuration, that did't work, please test this branch.
If you have performance problems, please test. But don't forget that
this is head/ branch, you need to disable all debugging first.
If you just want to test, pay attention to the output of
`vmstat -m | egrep "sec|sah|pol|crypt"`.
If you have used TCP_SIGNATURE, IPSEC_NAT_T options, please test, this
support was significantly changed.

PS. I just updated the branch to last head/, and it was not tested, sorry :)



Hi, nothing unusual, all works fine. Strangswan in tunnel mode on current:

root@thinkpad:/home/shurik # ipsec status
Security Associations (1 up, 0 connecting):
ikev2-client[1]: ESTABLISHED 3 minutes ago, 
10.1.1.183[xxx..org.ua]...xxx.yyy.74.7[xxx..org.ua]
ikev2-client{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 
c6f68157_i c6d17c85_o

ikev2-client{1}:   10.10.10.2/32 === 0.0.0.0/0

--
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [RFC/RFT] projects/ipsec

[Andrey V. Elsukov]

Hi All,

I ported the changes from projects/ipsec to stable/11 branch.
So, if it is more suitable for testing, please, welcome.

You can checkout the sources from github:
https://github.com/bu7cher/freebsd/tree/stable/11

Also I made the standalone patch:
https://people.freebsd.org/~ae/ipsec.diff

Unfortunately, I did only compile test for stable branch.


I am pleased to announce that projects/ipsec, that I started several
months ago is ready for testing and review.
The main goals were:
  * rework locking to make IPsec code more friendly for concurrent
processing;
  * make lookup in SADB/SPDB faster;
  * revise PFKEY implementation, remove stale code, make it closer
to RFC;
  * implement IPsec VTI (virtual tunneling interface);
  * make IPsec code loadable as kernel module.

Currently all, except the last one is mostly done. So, I decided ask for
a help to test the what already done, while I will work on the last task.

How to try? There are no patches, you need to checkout the full
projects/ipsec source tree, and build the kernel and the base system.
There are very few changes in the base system, mostly the kernel
changes. Thus for testing that old configuration is still work, it is
enough to build only the kernel.

The approximate list of changes that may be visible to users:
* SA bundles now can have only 4 items in the chain. I think it is
enough, I can't imagine configurations when needed more. Also now SA
bundles supported for IPv6 too.
* due to changes in SPDB/SADB, systems where large number of SPs and SAs
are in use should get significant performance benefits.
* the memory consumption should slightly increase. There are several
hash tables and SP cache appeared.
* INPCB SP cache should noticeable increase network performance of
application when security policies are presence.
  https://lists.freebsd.org/pipermail/freebsd-net/2015-April/042121.html
* use transport mode IPsec for forwarded IPv4 packets now unsupported.
This matches the IPv6 behavior, and since we can handle the replies, I
think it is useless.
* Added net.inet.ipsec.check_policy_history sysctl variable. When it is
set, each inbound packet that was handled by IPsec will be checked
according to matching security policy. If not all IPsec transforms were
applied, the check will fail, and packet will be dropped.
* Many PF_KEY messages handlers was updated, probably some IKEd now may
fail due to stricter checks.
* SPI now unique for each SA. This also can break something.
* Added if_ipsec interface. For more info look at
  https://svnweb.freebsd.org/base?view=revision&revision=309115
  https://reviews.freebsd.org/P112
* TCP_SIGNATURE code was reworked and now it behaves closer to RFC
  https://svnweb.freebsd.org/base?view=revision&revision=309610
* NAT-T support was reworked.
  https://svnweb.freebsd.org/base?view=revision&revision=309808
Also I made the patch to racoon that adds better support of NAT-T,
you can use this port to build patched racoon:
  https://people.freebsd.org/~ae/ipsec-tools.tgz

What results is interesting to me?
If you have some nontrivial configuration, please test.
If you have some configuration, that did't work, please test this branch.
If you have performance problems, please test. But don't forget that
this is head/ branch, you need to disable all debugging first.
If you just want to test, pay attention to the output of
`vmstat -m | egrep "sec|sah|pol|crypt"`.
If you have used TCP_SIGNATURE, IPSEC_NAT_T options, please test, this
support was significantly changed.


IPsec as kernel modules was reported here:
https://lists.freebsd.org/pipermail/freebsd-net/2016-December/046762.html

Some additional testing also needed with this...

--
WBR, Andrey V. Elsukov
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [RFC/RFT] projects/ipsec

[Andrey V. Elsukov]

On 09.01.2017 14:38, Bjoern A. Zeeb wrote:

On 27 Dec 2016, at 10:18, Andrey V. Elsukov wrote:


So, if there will no objection, I'll merge projects/ipsec into head/
within two weeks.


I still keep seeing almost daily changes to the branch and am having a
hard time to convince myself to do a proper review that way.  I would
very much prefer this to be (a) either become stable first and then give
people a chance, or (b) see if you can break out small self-contained
changes put them up into review and merge them piece by piece making it
a lot easier to convince ourselves that things still look good.


Hi,

yes, I hope I have fixed all found issues, now I will test the changes 
in our environment. I prefer the first way (a), because another 
splitting into small pieces requires a lot of time that I don't have.

So, if you want to do a review, you are welcome :)
Now I'll be focused on testing with different IKEd, documenting the 
changes, and fixing possible NO_INET/NO_INET6 related build issues.


--
WBR, Andrey V. Elsukov
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [RFC/RFT] projects/ipsec

[Bjoern A. Zeeb]

On 27 Dec 2016, at 10:18, Andrey V. Elsukov wrote:

So, if there will no objection, I'll merge projects/ipsec into head/ 
within two weeks.


I still keep seeing almost daily changes to the branch and am having a 
hard time to convince myself to do a proper review that way.  I would 
very much prefer this to be (a) either become stable first and then give 
people a chance, or (b) see if you can break out small self-contained 
changes put them up into review and merge them piece by piece making it 
a lot easier to convince ourselves that things still look good.


/bz
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [RFC/RFT] projects/ipsec

[Ermal Luçi]

On Tue, Dec 27, 2016 at 6:10 AM, Andrey V. Elsukov 
wrote:

> On 27.12.2016 16:15, Jim Thompson wrote:
>
>> In it's initial state if_ipsec allows to use only one set of
>>> encryption parameters (because only one sainfo anonyumous is
>>> possible), so at this time it doesn't allow to create multiple
>>> tunnels with VPN hubs that use different cipers and/or transform
>>> sets, but as far as I understand this is subject to change and
>>> Andrey is already working on a support of this feature from
>>> ipsec-tools IKE daemon.
>>>
>>
>> pfSense (which you mention below) is using strongswan, so when
>> Andrey is finished with ipsec-tools, we will need to review his
>> changes and see what we can do for strongswan.
>>
>> I'm looking forward to the mutliple-tunnel support, which is
>> required for pfSense.
>>
>
> There are no such limits. You can create multiple VTI interfaces.
> The problem is in with racoon configuration restrictions. It looks like
> ipsec-tools project is dead, I didn't received any replies from
> ipsec-tools-devel mailing list.
>
> I'm not aware how to configure strongswan, so if someone will not try to
> do this, I don't know when I will do this.
>
>
Strongswan already supports this.
Just the FreeBSD code for it is not there due to the missing feature until
now.



> --
> WBR, Andrey V. Elsukov
> ___
> freebsd-...@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
>
> --
> Ermal
>
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [RFC/RFT] projects/ipsec

[Andrey V. Elsukov]

On 27.12.2016 16:15, Jim Thompson wrote:

In it's initial state if_ipsec allows to use only one set of
encryption parameters (because only one sainfo anonyumous is
possible), so at this time it doesn't allow to create multiple
tunnels with VPN hubs that use different cipers and/or transform
sets, but as far as I understand this is subject to change and
Andrey is already working on a support of this feature from
ipsec-tools IKE daemon.


pfSense (which you mention below) is using strongswan, so when
Andrey is finished with ipsec-tools, we will need to review his
changes and see what we can do for strongswan.

I'm looking forward to the mutliple-tunnel support, which is
required for pfSense.


There are no such limits. You can create multiple VTI interfaces.
The problem is in with racoon configuration restrictions. It looks like 
ipsec-tools project is dead, I didn't received any replies from 
ipsec-tools-devel mailing list.


I'm not aware how to configure strongswan, so if someone will not try to 
do this, I don't know when I will do this.


--
WBR, Andrey V. Elsukov
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [RFC/RFT] projects/ipsec

[Jim Thompson]

> In it's initial state if_ipsec allows to use only one set of encryption 
> parameters (because only one sainfo anonyumous is possible), so at this time 
> it doesn't allow to create multiple tunnels with VPN hubs that use different 
> cipers and/or transform sets, but as far as I understand this is subject to 
> change and Andrey is already working on a support of this feature from 
> ipsec-tools IKE daemon.

pfSense (which you mention below) is using strongswan, so when Andrey
is finished with ipsec-tools, we will need to review his changes and
see what we can do for strongswan.

I'm looking forward to the mutliple-tunnel support, which is required
for pfSense.

> But even in this state this feature is already useful and I'm excited to see 
> it commited to HEAD and then MFC'd to 11.x, to start using it in my 
> production network (as you may know, buiding gre/ipsec tunnels on Juniper is 
> very hackish and tricky, bit I still have more than dozen of them). I've 
> already saw a discussion on FreeBSD web forums, and people there are excited 
> about if_ipsec too.

> Furthermore, I believe that guys using pfSense will be very happy about 
> if_ipsec in their routers, because I saw several discussions mentioning 
> missing VTI support there.

I'm not sure what discussions you saw.  We're aware, and very
interested in the VTI support.
https://twitter.com/gonzopancho/status/809412164259893248

On Wed, Dec 14, 2016 at 10:52 AM, Eugene M. Zheganin  wrote:
> Hi,
>
> On 11.12.2016 4:07, Andrey V. Elsukov wrote:
>>
>> Hi All,
>>
>> I am pleased to announce that projects/ipsec, that I started several
>> months ago is ready for testing and review.
>> The main goals were:
>>* rework locking to make IPsec code more friendly for concurrent
>>  processing;
>>* make lookup in SADB/SPDB faster;
>>* revise PFKEY implementation, remove stale code, make it closer
>>  to RFC;
>>* implement IPsec VTI (virtual tunneling interface);
>>* make IPsec code loadable as kernel module.
>>
>> Currently all, except the last one is mostly done. So, I decided ask for
>> a help to test the what already done, while I will work on the last task.
>>
> Well, at last FreeBSD got one of the most anticipated features in it's ipsec
> stack. When I wrote the message in the freebsd-net ML in the middle of 2012
> (https://lists.freebsd.org/pipermail/freebsd-net/2012-June/032556.html) I
> had a very little hope that someone will actually implement this, and now
> I'm very grateful that Andrey got the time to do this (and I'm really sorry
> for being such a pain in the ass, I'm saying so because I was bothering
> Andrey all this time in IRC). This isn't definitely a feature that every
> FreeBSD enthusiast will use, and, sadly, even not the feature that every
> network engineer that use ipsec in it's every day work will configure (many
> people still use obsoleted legacy interfaceless ipsec approach, not to
> mention weird and hybrid software routers like openvpn), but it's definitely
> a feature that will be appreciated by every skilled L3 VPN engineer that is
> using FreeBSD in it's operating stack. I've ran some tests in my production
> network and I should say that even on it's initial release state if_ipsec is
> fully operational with Juniper st tunnel on the other side, so I'm already
> running one FreeBSD <--> Juniper tunnel at my work:
>
> # ifconfig ipsec0
> ipsec0: flags=8051 metric 0 mtu 1400
> tunnel inet 128.127.144.19 --> 128.127.146.1
> inet 172.16.3.104 --> 172.16.3.105 netmask 0x
> inet6 fe80::204:23ff:fec7:194d%ipsec0 prefixlen 64 scopeid 0x9
> nd6 options=21
> reqid: 16385
> groups: ipsec
>
> racoon.conf:
> path pre_shared_key "/usr/local/etc/racoon/psk.txt";
>
> padding {
> maximum_length 20; # maximum padding length.
> randomize off; # enable randomize length.
> strict_check off; # enable strict check.
> exclusive_tail off; # extract last one octet.
> }
>
> listen {
> isakmp 128.127.144.19 [500];
> strict_address; # requires that all addresses must be bound.
> }
>
> timer {
> counter 5;
> interval 20 sec;
> persend 1;
>
> phase1 30 sec;
> phase2 15 sec;
> }
>
> #
> # SPb, Test
> #
>
> remote 128.127.146.1 {
> exchange_mode main;
> lifetime time 1 hour;
> my_identifier address 128.127.144.19;
> peers_identifier address 128.127.146.1;
> passive off;
> proposal_check obey;
> dpd_delay 20;
> proposal {
> encryption_algorithm des;
> hash_algorithm md5;
> authentication_method pre_shared_key;
> dh_group modp768;
> }
> }
>
> #
> # SPb, Test
> #
>
> sainfo address 0.0.0.0/0 [500] any address 0.0.0.0/0 [500] any {
> pfs_group modp768;
> lifetime time 60 min;
> encryption_algorithm des;
> authentication_algorithm non_auth;
> compression_algorithm deflate;
> }
>
> Juniper side:
>
>> show configuration interfaces st0.147
> descript

Re: [RFC/RFT] projects/ipsec

[Andrey V. Elsukov]

On 11.12.2016 02:07, Andrey V. Elsukov wrote:

Hi All,

I am pleased to announce that projects/ipsec, that I started several
months ago is ready for testing and review.
The main goals were:
  * rework locking to make IPsec code more friendly for concurrent
processing;
  * make lookup in SADB/SPDB faster;
  * revise PFKEY implementation, remove stale code, make it closer
to RFC;
  * implement IPsec VTI (virtual tunneling interface);
  * make IPsec code loadable as kernel module.

Currently all, except the last one is mostly done. So, I decided ask for
a help to test the what already done, while I will work on the last task.


I finished the last task, now it is possible to load/unload IPsec and 
TCP-MD5 support as kernel modules.


New kernel option IPSEC_SUPPORT should be used to build the kernel that 
is able to load IPsec module.


So, if you have 'options IPSEC' in the kernel config, IPsec support will 
be build in the kernel without TCP-MD5 support.


If you have 'options IPSEC' and 'options TCP_SIGNATURE', IPsec and 
TCP-MD5 support will be build in the kernel.


If you have 'options IPSEC' and 'options IPSEC_SUPPORT', IPsec support 
will be build in the kernel and TCP-MD5 can be loaded.


If you have 'options IPSEC_SUPPORT', IPsec and TCP-MD5 can be loaded.

If you have 'options IPSEC_SUPPORT' and 'options TCP_SIGNATURE', TCP-MD5 
support will be build in the kernel and IPsec can be loaded.


If you have not IPSEC* options, it isn't possible to use IPsec as module.

So, if there will no objection, I'll merge projects/ipsec into head/ 
within two weeks.


--
WBR, Andrey V. Elsukov
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: [RFC/RFT] projects/ipsec

[Eugene M. Zheganin]

Hi,

On 11.12.2016 4:07, Andrey V. Elsukov wrote:

Hi All,

I am pleased to announce that projects/ipsec, that I started several
months ago is ready for testing and review.
The main goals were:
   * rework locking to make IPsec code more friendly for concurrent
 processing;
   * make lookup in SADB/SPDB faster;
   * revise PFKEY implementation, remove stale code, make it closer
 to RFC;
   * implement IPsec VTI (virtual tunneling interface);
   * make IPsec code loadable as kernel module.

Currently all, except the last one is mostly done. So, I decided ask for
a help to test the what already done, while I will work on the last task.

Well, at last FreeBSD got one of the most anticipated features in it's 
ipsec stack. When I wrote the message in the freebsd-net ML in the 
middle of 2012 
(https://lists.freebsd.org/pipermail/freebsd-net/2012-June/032556.html) 
I had a very little hope that someone will actually implement this, and 
now I'm very grateful that Andrey got the time to do this (and I'm 
really sorry for being such a pain in the ass, I'm saying so because I 
was bothering Andrey all this time in IRC). This isn't definitely a 
feature that every FreeBSD enthusiast will use, and, sadly, even not the 
feature that every network engineer that use ipsec in it's every day 
work will configure (many people still use obsoleted legacy 
interfaceless ipsec approach, not to mention weird and hybrid software 
routers like openvpn), but it's definitely a feature that will be 
appreciated by every skilled L3 VPN engineer that is using FreeBSD in 
it's operating stack. I've ran some tests in my production network and I 
should say that even on it's initial release state if_ipsec is fully 
operational with Juniper st tunnel on the other side, so I'm already 
running one FreeBSD <--> Juniper tunnel at my work:


# ifconfig ipsec0
ipsec0: flags=8051 metric 0 mtu 1400
tunnel inet 128.127.144.19 --> 128.127.146.1
inet 172.16.3.104 --> 172.16.3.105 netmask 0x
inet6 fe80::204:23ff:fec7:194d%ipsec0 prefixlen 64 scopeid 0x9
nd6 options=21
reqid: 16385
groups: ipsec

racoon.conf:
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

padding {
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}

listen {
isakmp 128.127.144.19 [500];
strict_address; # requires that all addresses must be bound.
}

timer {
counter 5;
interval 20 sec;
persend 1;

phase1 30 sec;
phase2 15 sec;
}

#
# SPb, Test
#

remote 128.127.146.1 {
exchange_mode main;
lifetime time 1 hour;
my_identifier address 128.127.144.19;
peers_identifier address 128.127.146.1;
passive off;
proposal_check obey;
dpd_delay 20;
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp768;
}
}

#
# SPb, Test
#

sainfo address 0.0.0.0/0 [500] any address 0.0.0.0/0 [500] any {
pfs_group modp768;
lifetime time 60 min;
encryption_algorithm des;
authentication_algorithm non_auth;
compression_algorithm deflate;
}

Juniper side:

> show configuration interfaces st0.147
description "Perm, FreeBSD Test Server";
family inet {
mtu 1455;
address 172.16.3.105/32 {
destination 172.16.3.104;
}
}

> show configuration security ike policy kosm65
proposals norma-ike;
pre-shared-key ascii-text 
"$9$-SV4ZUDkqPQUjBIclLXgoJUqf9CuESeAp-w2gGUjHqfQn"; ## SECRET-DATA


> show configuration security ike gateway kosm65-freebsd-test
ike-policy perm-freebsd-test;
address 128.127.144.19;
local-identity inet 128.127.146.1;
remote-identity inet 128.127.144.19;
external-interface reth1.2;

> show configuration security ipsec vpn kosm65-freebsd-test
bind-interface st0.147;
ike {
gateway kosm65-freebsd-test;
ipsec-policy norma-policy;
}

> show configuration security ipsec policy norma-policy
perfect-forward-secrecy {
keys group1;
}
proposals norma-ipsec;

> show configuration security ipsec proposal norma-ipsec
protocol esp;
encryption-algorithm des-cbc;
lifetime-seconds 600;

> show configuration security ike proposal norma-ike
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm md5;
encryption-algorithm des-cbc;

In it's initial state if_ipsec allows to use only one set of encryption 
parameters (because only one sainfo anonyumous is possible), so at this 
time it doesn't allow to create multiple tunnels with VPN hubs that use 
different cipers and/or transform sets, but as far as I understand this 
is subject to change and Andrey is already working on a support of this 
feature from ipsec-tools IKE daemon. But even in this state this feature 
is already useful and I'm excited to see it commited to HEAD and then 
MFC'd to 11.x, to start using it in my production network (as you m

Re: [RFC/RFT] projects/ipsec

[Olivier Cochard-Labbé]

On Sun, Dec 11, 2016 at 12:07 AM, Andrey V. Elsukov  wrote:

> Hi All,
>
> I am pleased to announce that projects/ipsec, that I started several
> months ago is ready for testing and review.
> The main goals were:
>   * rework locking to make IPsec code more friendly for concurrent
> processing;
>   * make lookup in SADB/SPDB faster;
>   * revise PFKEY implementation, remove stale code, make it closer
> to RFC;
>   * implement IPsec VTI (virtual tunneling interface);
>   * make IPsec code loadable as kernel module.
>
>
​I've got a very simple configuration (static key),but I like the
performance improvement brings by projects/ipsec :-)

A simple packet-per-second using null encryption should be enough for
benching the improvement, but my IPSec lab (using Equilibrium methodology)
did a little more.

https://github.com/ocochard/netbenches/blob/master/AMD_GX-
412TC_4Cores_Intel_i210AT/ipsec/results/fbsd12.projects-
ipsec.equilibrium/graph.png

Thanks for your work!

Olivier
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

[RFC/RFT] projects/ipsec

[Andrey V. Elsukov]

Hi All,

I am pleased to announce that projects/ipsec, that I started several
months ago is ready for testing and review.
The main goals were:
  * rework locking to make IPsec code more friendly for concurrent
processing;
  * make lookup in SADB/SPDB faster;
  * revise PFKEY implementation, remove stale code, make it closer
to RFC;
  * implement IPsec VTI (virtual tunneling interface);
  * make IPsec code loadable as kernel module.

Currently all, except the last one is mostly done. So, I decided ask for
a help to test the what already done, while I will work on the last task.

How to try? There are no patches, you need to checkout the full
projects/ipsec source tree, and build the kernel and the base system.
There are very few changes in the base system, mostly the kernel
changes. Thus for testing that old configuration is still work, it is
enough to build only the kernel.

The approximate list of changes that may be visible to users:
* SA bundles now can have only 4 items in the chain. I think it is
enough, I can't imagine configurations when needed more. Also now SA
bundles supported for IPv6 too.
* due to changes in SPDB/SADB, systems where large number of SPs and SAs
are in use should get significant performance benefits.
* the memory consumption should slightly increase. There are several
hash tables and SP cache appeared.
* INPCB SP cache should noticeable increase network performance of
application when security policies are presence.
  https://lists.freebsd.org/pipermail/freebsd-net/2015-April/042121.html
* use transport mode IPsec for forwarded IPv4 packets now unsupported.
This matches the IPv6 behavior, and since we can handle the replies, I
think it is useless.
* Added net.inet.ipsec.check_policy_history sysctl variable. When it is
set, each inbound packet that was handled by IPsec will be checked
according to matching security policy. If not all IPsec transforms were
applied, the check will fail, and packet will be dropped.
* Many PF_KEY messages handlers was updated, probably some IKEd now may
fail due to stricter checks.
* SPI now unique for each SA. This also can break something.
* Added if_ipsec interface. For more info look at
  https://svnweb.freebsd.org/base?view=revision&revision=309115
  https://reviews.freebsd.org/P112
* TCP_SIGNATURE code was reworked and now it behaves closer to RFC
  https://svnweb.freebsd.org/base?view=revision&revision=309610
* NAT-T support was reworked.
  https://svnweb.freebsd.org/base?view=revision&revision=309808
Also I made the patch to racoon that adds better support of NAT-T,
you can use this port to build patched racoon:
  https://people.freebsd.org/~ae/ipsec-tools.tgz

What results is interesting to me?
If you have some nontrivial configuration, please test.
If you have some configuration, that did't work, please test this branch.
If you have performance problems, please test. But don't forget that
this is head/ branch, you need to disable all debugging first.
If you just want to test, pay attention to the output of
`vmstat -m | egrep "sec|sah|pol|crypt"`.
If you have used TCP_SIGNATURE, IPSEC_NAT_T options, please test, this
support was significantly changed.

PS. I just updated the branch to last head/, and it was not tested, sorry :)

-- 
WBR, Andrey V. Elsukov



signature.asc
Description: OpenPGP digital signature