Hi, I have mixed types of configurations. I’ll give it a run next week.
So far I have tried a tunnel with if_ipsec and strongswan at one end and gif and racoon at the other end. I have tried if_ipsec with strongswan on both ends. I’ll start with recompiling racoon today and using it to see if it breaks any existing stuff. Peter > On 13 May 2018, at 13:59, Andrey V. Elsukov <bu7c...@yandex.ru> wrote: > > On 08.05.2018 16:51, Andrey V. Elsukov wrote: >> I think for proper support of several if_ipsec interfaces racoon needs >> some patches. But I have not spare time to do this job. >> I recommend to use strongswan, it has active developers that are >> responsive and may give some help at least. > > Hi, > > Today I hacked ipsec-tools a bit, and made the patch that adds support > for multiple if_ipsec interfaces. > > https://people.freebsd.org/~ae/patch-reqid.diff > > You can put this patch into ipsec-tools/files/ directory and then > rebuild the package. I'm not sure about compatibility with generic > configurations, I tested only the case with two if_ipsec tunnels. > > What it does: > * added new configuration option for sainfo section - "reqid NUM"; > * policy index was extended to contain reqid, so now racoon's security > policies from multiple interfaces don't overlapped; > * logging extended to print reqid in some places. > > How it is expected to be used: > > In racoon.conf you have several "remote IP-address {}" sections. Each > section should have "ph1id NUM" option. This option is used to select > corresponding "sainfo {}". You can have many "sainfo anonymous {}" > sections with different "remoteid NUM", where NUM should match to "ph1id > NUM". Also you need to add "reqid N" option to these sainfo sections. > This reqid should match to value configured in if_ipsec interface. > > I.e. "ph1id NUM" and "remoteid NUM" are used to create relation between > "sainfo" and "remote" sections. And "requid N" options is used to lookup > corresponding SP in SPDB and install proper SA with needed reqid. > > The example based on your config: > > remote 10.9.8.2 > { > exchange_mode main,aggressive; > doi ipsec_doi; > situation identity_only; > > my_identifier address 10.9.8.3; > peers_identifier address 10.9.8.2; > ph1id 10982; > > nonce_size 16; > initial_contact on; > proposal_check obey; # obey, strict, or claim > passive off; > > proposal { > encryption_algorithm 3des; > hash_algorithm sha1; > authentication_method pre_shared_key; > dh_group 2; > } > } > > remote 10.9.8.6 > { > exchange_mode main,aggressive; > doi ipsec_doi; > situation identity_only; > > my_identifier address 10.9.8.3; > peers_identifier address 10.9.8.6; > ph1id 10986; > > nonce_size 16; > initial_contact on; > proposal_check obey; > passive off; > > proposal { > encryption_algorithm aes; > hash_algorithm sha256; > authentication_method pre_shared_key; > dh_group 2; > } > } > > sainfo anonymous > { > remoteid 10982; > reqid 100; > lifetime time 24 hour; > > pfs_group 2; > encryption_algorithm 3des; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo anonymous > { > remoteid 10986; > reqid 200; > lifetime time 24 hour; > > pfs_group 2; > encryption_algorithm aes; > authentication_algorithm hmac_sha256; > compression_algorithm deflate; > } > > sainfo anonymous > { > lifetime time 30 min; > > pfs_group 2; > encryption_algorithm des; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > } > > -- > WBR, Andrey V. Elsukov > _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
