Re: multiple if_ipsec

Victor Gamov Mon, 23 Apr 2018 05:11:51 -0700

On 23/04/2018 14:13, Andrey V. Elsukov wrote:

On 21.04.2018 19:16, Victor Gamov wrote:

When I change ipsec-interfaces creation order then only last created
interface worked fine again and previously configured interfaces does
not work.



And very interesting fact: when I ping from remote 10.10.98.5 for
example to FreeBSD 10.10.98.6 then no ICMP-request coming over
ipsec-interface but ICMP-reply outgoing via this ipsec-interface (but
not delivered to 10.10.98.5)


Any ideas?


I'm lack of any ideas. For further debugging I need to see the output of
# sysctl net. | grep ipsec
# setkey -DP
# setkey -D
# ifconfig

And probably racoon's logs.


Hi Andrey!

First of all -- many thanks for your responses!

Configs are followed

# sysctl net. | grep ipsec
=====
net.inet.ipsec.def_policy: 1
net.inet.ipsec.esp_trans_deflev: 1
net.inet.ipsec.esp_net_deflev: 1
net.inet.ipsec.ah_trans_deflev: 1
net.inet.ipsec.ah_net_deflev: 1
net.inet.ipsec.ah_cleartos: 1
net.inet.ipsec.ah_offsetmask: 0
net.inet.ipsec.dfbit: 0
net.inet.ipsec.ecn: 0
net.inet.ipsec.debug: 0
net.inet.ipsec.filtertunnel: 0
net.inet.ipsec.natt_cksum_policy: 0
net.inet.ipsec.check_policy_history: 0
net.inet.ipsec.crypto_support: 50331648
net.inet6.ipsec6.def_policy: 1
net.inet6.ipsec6.esp_trans_deflev: 1
net.inet6.ipsec6.esp_net_deflev: 1
net.inet6.ipsec6.ah_trans_deflev: 1
net.inet6.ipsec6.ah_net_deflev: 1
net.inet6.ipsec6.ecn: 0
net.inet6.ipsec6.debug: 0
net.inet6.ipsec6.filtertunnel: 0
=====


# setkey -DP | grep -A 4 '^0'
=====
0.0.0.0/0[any] 0.0.0.0/0[any] any
        in ipsec
        esp/tunnel/__Cisco_30__-__FreeBSD_IP__/unique:30
        spid=1 seq=11 pid=99239 scope=ifnet ifname=ipsec30
        refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
        in ipsec
        esp/tunnel/__Cisco_26__-__FreeBSD_IP__/unique#16385
        spid=5 seq=9 pid=99239 scope=ifnet ifname=ipsec26
        refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
        in ipsec
        esp/tunnel/__Cisco_25__-__FreeBSD_IP__/unique:26
        spid=9 seq=7 pid=99239 scope=ifnet ifname=ipsec25
        refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
        out ipsec
        esp/tunnel/__FreeBSD_IP__-__Cisco_30__/unique:30
        spid=2 seq=5 pid=99239 scope=ifnet ifname=ipsec30
        refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
        out ipsec
        esp/tunnel/__FreeBSD_IP__-__Cisco_26__/unique#16385
        spid=6 seq=3 pid=99239 scope=ifnet ifname=ipsec26
        refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
        out ipsec
        esp/tunnel/__FreeBSD_IP__-__Cisco_25__/unique:26
        spid=10 seq=1 pid=99239 scope=ifnet ifname=ipsec25
        refcnt=1
=====


# setkey -D
=====
__FreeBSD_IP__ __Cisco_30__
        esp mode=tunnel spi=2124688285(0x7ea42b9d) reqid=26(0x0000001a)

E: rijndael-cbc 6ca42c3b c24ce0ec f3f676c8 c9b9e72d fde63423 3f957b0cee5da59d dce8a66d

        A: hmac-sha1  2adb7dfb 26d5de00 2fdd9a21 f63701ef 59d95a1a
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Apr 23 14:02:03 2018   current: Apr 23 14:17:40 2018
        diff: 937(s)    hard: 3600(s)   soft: 2880(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=5 pid=95677 refcnt=1
__FreeBSD_IP__ __Cisco_25__
        esp mode=tunnel spi=153891647(0x092c333f) reqid=26(0x0000001a)

E: rijndael-cbc 8f9905fe 6a9cfc76 a0da354b 53a7f901 298dca43 b5feda653be012e7 08835553

        A: hmac-sha1  aa2ec447 0e6b36e2 23ba9b27 9d0ecc05 4513af70
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Apr 23 13:40:24 2018   current: Apr 23 14:17:40 2018
        diff: 2236(s)   hard: 3600(s)   soft: 2880(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=4 pid=95677 refcnt=1
__Cisco_25__ __FreeBSD_IP__
        esp mode=tunnel spi=21918183(0x014e71e7) reqid=26(0x0000001a)

E: rijndael-cbc 43e8f54a 0bdda6b5 41a637d5 4469973d 5b3dc8d0 3702218743c86f0c 34054df8

        A: hmac-sha1  cf08a56a beead8b8 e637a14a 5fdbde3d b8c71192
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Apr 23 13:40:24 2018   current: Apr 23 14:17:40 2018
        diff: 2236(s)   hard: 3600(s)   soft: 2880(s)
        last: Apr 23 13:40:25 2018      hard: 0(s)      soft: 0(s)
        current: 46900(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 719  hard: 0 soft: 0
        sadb_seq=3 pid=95677 refcnt=1
__FreeBSD_IP__ __Cisco_26__
        esp mode=tunnel spi=2471238029(0x934c198d) reqid=26(0x0000001a)

E: rijndael-cbc 01b3235e 0fe554d3 6dbcb505 bb34d511 93f8ee6f b0b15f43077c411a afdb1b3b

        A: hmac-sha1  29ab22bd 2c4f0ade e1478e19 0ecf423f ef155ff3
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Apr 23 13:42:29 2018   current: Apr 23 14:17:40 2018
        diff: 2111(s)   hard: 3600(s)   soft: 2880(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=2 pid=95677 refcnt=1
__Cisco_26__ __FreeBSD_IP__
        esp mode=tunnel spi=103689330(0x062e2c72) reqid=26(0x0000001a)

E: rijndael-cbc 27936832 275a949a a156336c dbc049e1 3a88218a 1f23351f54eb336d 8381bf0b

        A: hmac-sha1  8ed4e3a6 7d3d5b25 0c167123 fc8052a5 43738cf8
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Apr 23 13:42:29 2018   current: Apr 23 14:17:40 2018
        diff: 2111(s)   hard: 3600(s)   soft: 2880(s)
        last: Apr 23 13:42:33 2018      hard: 0(s)      soft: 0(s)
        current: 27360(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 456  hard: 0 soft: 0
        sadb_seq=1 pid=95677 refcnt=1
__Cisco_30__ __FreeBSD_IP__
        esp mode=tunnel spi=42561509(0x02896fe5) reqid=26(0x0000001a)

E: rijndael-cbc a9c9d21a b09f705b fbf33201 881b27af a23ea9fa 85085847b4b50418 54d6c739

        A: hmac-sha1  7994e8dc ece0c8e7 434ac694 b0fc7952 bc1e01b0
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Apr 23 14:02:03 2018   current: Apr 23 14:17:40 2018
        diff: 937(s)    hard: 3600(s)   soft: 2880(s)
        last: Apr 23 14:02:05 2018      hard: 0(s)      soft: 0(s)
        current: 19644(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 301  hard: 0 soft: 0
        sadb_seq=0 pid=95677 refcnt=1
=====


# ifconfig -au
=====
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: -LAN
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:50:56:b0:81:ac
        hwaddr 00:50:56:b0:81:ac
        inet 192.168.10.130 netmask 0xffffff00 broadcast 192.168.10.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: -WAN
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:50:56:b0:bf:de
        hwaddr 00:50:56:b0:bf:de
        inet __FreeBSD_IP__ netmask 0xffffffe0 broadcast 
__FreeBSD_IP_broadcast__
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
ipsec30: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        description: -so: Kur
        tunnel inet __FreeBSD_IP__ --> __Cisco_30__
        inet 10.10.98.1 --> 10.10.98.2  netmask 0xfffffffc
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        reqid: 30
        groups: ipsec
ipsec26: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        description: -so: Mur
        tunnel inet __FreeBSD_IP__ --> __Cisco_26__
        inet 10.10.98.9 --> 10.10.98.10  netmask 0xfffffffc
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        reqid: 16385
        groups: ipsec
ipsec25: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        description: -so: Sofy
        tunnel inet __FreeBSD_IP__ --> __Cisco_25__
        inet 10.10.98.5 --> 10.10.98.6  netmask 0xfffffffc
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        reqid: 26
        groups: ipsec
=====



Racoon launched with debug now and sometimes I've got DEBUG messages

=====

racoon: DEBUG: no such a SA found: ESP/Tunnel__Cisco_30__[500]->__FreeBSD_IP__[500] spi=198258211(0xbd12e23)racoon: DEBUG: no such a SA found: ESP/Tunnel__Cisco_25__[500]->__FreeBSD_IP__[[500] spi=2471238029(0x934c198d)

=====

with many FreeBSD/Cisco IP conbinations.


And sometimes:
=====
racoon: DEBUG: check spi(packet)=153891647 spi(db)=738738094.
racoon: DEBUG: check spi(packet)=153891647 spi(db)=153891647.
racoon: DEBUG: purged 1 SAs.
racoon: DEBUG: purged SAs.
racoon: DEBUG: pk_recv: retry[0] recv()

racoon: DEBUG: DELETE message is not interesting because the message wasoriginated by me.

racoon: DEBUG: pk_recv: retry[0] recv()
racoon: DEBUG: got pfkey ACQUIRE message
=====

Regardless this messages ping still works fine but for last configuredipsec-interface


--
CU,
Victor Gamov
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: multiple if_ipsec

Reply via email to