Hello! вс, 5 мая 2019 г. в 13:50, Andrey V. Elsukov <bu7c...@yandex.ru>:
> > 0.The ipsec-tools port currently does not have a maintainer (C) > portmaster > > ... Does this solution really supported? Or I should switch to use > another > > IKE daemon? > I think it is unmaintained in upstream too. > But why it still recommended in FreeBSD handbook? > 1. racoon was 3 times crashed with core dump (2 times on one host, 1 times > > on another host): > > (gdb) bt > > #0 0x000000000024417f in isakmp_info_recv () > > #1 0x00000000002345f4 in isakmp_main () > > #2 0x00000000002307d0 in isakmp_handler () > > #3 0x000000000022f10d in session () > > #4 0x000000000022e62a in main () > > > > 2. racoon generated 2 SA for each traffic direction (from hostA to > hostB). > > IMHO one SA for one each traffic direction should be enough. > > Probably you have something wrong in your configuration. > I'm misunderstand what in my configuration can result core dumps a running daemon... I'm attached a sample racoon.conf. Can You check for possible problems? Also on one host I got a crash in another function: (gdb) bt #0 0x000000000024717f in privsep_init () #1 0x00000000002375f4 in inscontacted () #2 0x00000000002337d0 in isakmp_plist_set_all () #3 0x000000000023210d in isakmp_ph2expire () #4 0x000000000023162a in isakmp_ph1delete () #5 0x000000000023110b in isakmp_ph2resend () #6 0x00000008002aa000 in ?? () #7 0x0000000000000000 in ?? () Note, that if_ipsec(4) interfaces has own security policies and you need > to check that racoon doesn't create additional policies. Also, > if_ipsec(4) uses "reqid" parameter to distinguish IPsec SAs between > interfaces. I made a patch to add special parameter for racoon, so it is > possible to use several if_ipsec(4) interfaces. I think it should be in > port. > https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html > This patch already applied to the ports tree. But it's not enough in my case :( > Also you can use strongswan, we use it for some time and have no problems. > Okey. Thanks You! I will try to use strongswan. I'm tried to replace rsasig authentication with psk, but without luck. I'm against got two ipsec sa for each direction.... -- MATPOCKuH
racoon.conf
Description: Binary data
_______________________________________________ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
