Andrey, I was planning to move towards Strongswan anyway. The 1st step (with 1 interface worked great)
Julian, The idea of having a jail as VPN end-point is going to help me transition step by step and possibly have both racoon and strongswan active. Thx, Peter > On 9 May 2018, at 03:08, Julian Elischer <jul...@freebsd.org> wrote: > > On 8/5/18 9:51 pm, Andrey V. Elsukov wrote: >> On 08.05.2018 14:03, peter.b...@bsd4all.org wrote: >>> Hi Victor, >>> >>> I’m struggling wit the same issue. My sainfo doesn’t match unless I >>> use anonymous. >>> >>> Hi Andrey, >>> >>> What I don’t understand is why a “catchall” policy is added instead >>> of the policy that matches the inner tunnel. >> This is because the how IPsec works in BSD network stack. >> >> In simple words - outbound traffic is matched by security policy, >> inbound is matched by security association. >> >> When a packet is going to be send from a host, the kernel checks >> security policies for match. If it is matched, a packet goes into IPsec >> processing. Then IPsec code using given security policy does lookup for >> matched security association. And some IPsec transform happens. >> >> When a host receives a packet, it handled by network stack first. And >> if it has corresponding IPsec inner protocol (ESP, AH), it will be >> handled by IPsec code. A packet has embedded SPI, it is used for >> security association lookup. If corresponding SA is found, the IPsec >> code will apply revers IPsec transform to the packet. Then the kernel >> checks, that there is some security policy for that packet. >> >> Now how if_ipsec(4) works. Security policies associated with interface >> have configured requirements for tunnel mode with configured addresses. >> Interfaces are designed for route based VPN, and when a packet is going >> to be send through if_ipsec interface, its "output" routine uses >> security policy associated with interface and with configured "reqid". >> >> If there are no SAs configured with given reqid, the IPsec code will >> send ACQUIRE message to IKE and it should install SAs, that will be used >> for IPsec transforms. >> >> When a host receives a packet, it handled by network stack, then by >> IPsec code and when reverse transform is finished, IPsec code checks, if >> packet was matched by tunnel mode SA it will be checked by if_ipsec >> input routine. If addresses and reqid from SA matched to if_ipsec >> configuration, it will be taken by if_ipsec interface. >> >> >>> What is supposed to happen here? Is the IKE daemon supposed to update >>> the policy once started. >> In my understanding IKE is only supposed to install SAs for if_ipsec. >> It can't change these policies, because they are immutable. >> >> I think for proper support of several if_ipsec interfaces racoon needs >> some patches. But I have not spare time to do this job. >> I recommend to use strongswan, it has active developers that are >> responsive and may give some help at least. >> >> There was the link with example, but it also uses only one interface: >> https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec >> > my answer was to create a jail to act as the endpoint of each vpn using > VIMAGE and then allow each jail to run its own raccoon. > > > _______________________________________________ > freebsd-net@freebsd.org <mailto:freebsd-net@freebsd.org> mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > <https://lists.freebsd.org/mailman/listinfo/freebsd-net> > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org > <mailto:freebsd-net-unsubscr...@freebsd.org>" _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
