Re: multiple if_ipsec

2018-05-16 Thread Victor Gamov
On 09/05/2018 10:06, peter.b...@bsd4all.org wrote: Andrey, I was planning to move towards Strongswan anyway. The 1st step (with 1 interface worked great) Julian, The idea of having a jail as VPN end-point is going to help me transition step by step and possibly have both racoon and

Re: multiple if_ipsec

2018-05-13 Thread peter . blok
t spare time to do this job. >> I recommend to use strongswan, it has active developers that are >> responsive and may give some help at least. > > Hi, > > Today I hacked ipsec-tools a bit, and made the patch that adds support > for multiple if_ipsec interfaces. >

Re: multiple if_ipsec

2018-05-13 Thread Andrey V. Elsukov
t least. Hi, Today I hacked ipsec-tools a bit, and made the patch that adds support for multiple if_ipsec interfaces. https://people.freebsd.org/~ae/patch-reqid.diff You can put this patch into ipsec-tools/files/ directory and then rebuild the package. I'm not sure about compatibility

Re: multiple if_ipsec

2018-05-09 Thread peter . blok
Andrey, I was planning to move towards Strongswan anyway. The 1st step (with 1 interface worked great) Julian, The idea of having a jail as VPN end-point is going to help me transition step by step and possibly have both racoon and strongswan active. Thx, Peter > On 9 May 2018, at 03:08,

Re: multiple if_ipsec

2018-05-08 Thread Julian Elischer
On 8/5/18 9:51 pm, Andrey V. Elsukov wrote: On 08.05.2018 14:03, peter.b...@bsd4all.org wrote: Hi Victor, I’m struggling wit the same issue. My sainfo doesn’t match unless I use anonymous. Hi Andrey, What I don’t understand is why a “catchall” policy is added instead of the policy that

Re: multiple if_ipsec

2018-05-08 Thread Andrey V. Elsukov
On 08.05.2018 14:03, peter.b...@bsd4all.org wrote: > Hi Victor, > > I’m struggling wit the same issue. My sainfo doesn’t match unless I > use anonymous. > > Hi Andrey, > > What I don’t understand is why a “catchall” policy is added instead > of the policy that matches the inner tunnel. This is

Re: multiple if_ipsec

2018-05-08 Thread peter . blok
Hi Victor, I’m struggling wit the same issue. My sainfo doesn’t match unless I use anonymous. Hi Andrey, What I don’t understand is why a “catchall” policy is added instead of the policy that matches the inner tunnel. What is supposed to happen here? Is the IKE daemon supposed to update the

Re: multiple if_ipsec

2018-04-25 Thread Victor Gamov
On 23/04/2018 15:43, Andrey V. Elsukov wrote: Your security associations doesn't match your security policies. Probably you did interfaces reconfiguration without clearing old SAs. I think your configuration will work, if you first will done if_ipsec(4) configuration, then start racoon and it

Re: multiple if_ipsec

2018-04-23 Thread Andrey V. Elsukov
On 23.04.2018 15:10, Victor Gamov wrote: > # setkey -D > = > __FreeBSD_IP__ __Cisco_30__ > esp mode=tunnel spi=2124688285(0x7ea42b9d) reqid=26(0x001a) This must be 30 ^^^ > __FreeBSD_IP__ __Cisco_25__ > esp mode=tunnel

Re: multiple if_ipsec

2018-04-23 Thread Victor Gamov
On 23/04/2018 14:13, Andrey V. Elsukov wrote: On 21.04.2018 19:16, Victor Gamov wrote: When I change ipsec-interfaces creation order then only last created interface worked fine again and previously configured interfaces does not work. And very interesting fact: when I ping from remote

Re: multiple if_ipsec

2018-04-23 Thread Andrey V. Elsukov
On 21.04.2018 19:16, Victor Gamov wrote: > When I change ipsec-interfaces creation order then only last created > interface worked fine again and previously configured interfaces does > not work. > > > And very interesting fact: when I ping from remote 10.10.98.5 for > example to FreeBSD

Re: multiple if_ipsec

2018-04-21 Thread Victor Gamov
On 20/04/2018 19:42, Andrey V. Elsukov wrote: On 20.04.2018 18:48, Victor Gamov wrote: More correct problem is:  last configured ipsec interface tx/rx traffic only.  For my example: - ping from 10.10.98.1 to 10.10.98.2 via ipsec30 is OK - ping from 10.10.98.2 to 10.10.98.1 via ipsec30 is OK

Re: multiple if_ipsec

2018-04-20 Thread Andrey V. Elsukov
On 20.04.2018 18:48, Victor Gamov wrote: > More correct problem is:  last configured ipsec interface tx/rx traffic > only.  For my example: > > - ping from 10.10.98.1 to 10.10.98.2 via ipsec30 is OK > > - ping from 10.10.98.2 to 10.10.98.1 via ipsec30 is OK > > - ping from 10.10.98.5 (Cisco) to

Re: multiple if_ipsec

2018-04-20 Thread Victor Gamov
On 20/04/2018 13:04, Andrey V. Elsukov wrote: On 20.04.2018 11:17, Victor Gamov wrote: All local SA configured and established and remote side (Cisco routers) report SA established too. But traffic goes via only one ipsec-interface. If you have all SAs established, you probably need to check

Re: multiple if_ipsec

2018-04-20 Thread Andrey V. Elsukov
On 20.04.2018 11:17, Victor Gamov wrote: > All local SA configured and established and remote side (Cisco routers) > report SA established too. > > But traffic goes via only one ipsec-interface. If you have all SAs established, you probably need to check your routing configuration. Or at least

multiple if_ipsec

2018-04-20 Thread Victor Gamov
Hi All I have FreeBSD box (11.1-STABLE FreeBSD 11.1-STABLE #0 r327786) and simple configuration with two if_ipsec configured like = ipsec25: flags=8051 metric 0 mtu 1400 description: -so: Sofy tunnel inet IP-FreeBSD --> IP-Cisco-RTR-1