Date: Sun, 13 May 2018 03:02:03 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Andreas Scherrer <ascherrer@gmail.com>, freebsd-net@freebsd.org Subject: Re: Site-to-site IPSec VPN using if_ipsec and racoon Message-ID: <9a64e1e8-2258-379e-9ed0-4c8d8bf0aea9@yandex.ru> In-Reply-To: <951ef6f6-95d8-8832-1e7a-59fc90434029@gmail.com> References: <951ef6f6-95d8-8832-1e7a-59fc90434029@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --9qSeq07FszvTv7OdCj7mlhNBzLtuVXFCf Content-Type: multipart/mixed; boundary="NlR6NQ6ZtYCqrgXh0aLvtjxZ1uzHrkhyN"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Andreas Scherrer <ascherrer@gmail.com>, freebsd-net@freebsd.org Message-ID: <9a64e1e8-2258-379e-9ed0-4c8d8bf0aea9@yandex.ru> Subject: Re: Site-to-site IPSec VPN using if_ipsec and racoon References: <951ef6f6-95d8-8832-1e7a-59fc90434029@gmail.com> In-Reply-To: <951ef6f6-95d8-8832-1e7a-59fc90434029@gmail.com> --NlR6NQ6ZtYCqrgXh0aLvtjxZ1uzHrkhyN Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 13.05.2018 02:37, Andreas Scherrer wrote: > My interpretation of [2]'s statement: >=20 > "If no security association is found, the packet is put on hold and the= > IKE daemon is asked to negotiate an appropriate one." >=20 > is that it should somehow be automagic. But in my current configuration= , > that does not happen. I never see FreeBSD initiate any IKE traffic > (500/udp) and 'setkey -D' always reports "No SAD entries.". Hi, You need to run racoon in debug mode and then, I think, you will see how ACQUIRE happens, and why it doesn't work. > Can anybody point me in the right direction (be it more documentation o= r > a working config example)? That would be awesome. Recently there was the discussion about it, and a config that worked for one tunnel was published: https://lists.freebsd.org/pipermail/freebsd-net/2018-April/050271.html You can read the entire topic to get additional info. > Best regards > andreas >=20 > Ps.: I have tried the "old" approach which I know better using 'gif' > interfaces. With that I have managed to get racoon negotiate SAs for th= e > same tunnel (i.e. with libreswan on the RPi). Unfortunately I cannot > wrap my head around the routing with that approach (no 'gif' on > Raspbian). And the documentation also mentions this as a limitation of > 'gif' [3]: "you cannot usually use gif to talk with IPsec devices that > use IPsec tunnel mode" You can use gif+IPsec in transport mode from one side, and IPsec device with tunnel mode from other side. Technically this is the same. But I don't know how hard configure this using IKE. --=20 WBR, Andrey V. Elsukov --NlR6NQ6ZtYCqrgXh0aLvtjxZ1uzHrkhyN-- --9qSeq07FszvTv7OdCj7mlhNBzLtuVXFCf Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlr3gHsACgkQAcXqBBDI oXpOkAf9GTM242c7O30GU4KPZ4yHM7zWuw6bUzE76m46UEk2xa5G7379G6hEnFmV rTLmeIjZhL6l8/Vy/ikxJAl1DDLbEN5ACiEh7YkvFYc2hP28xldh7w+bJ539Aevo BMoUoM5r5dnf74IU7rXONtGYFez77GGhgst1t4yufS0u4Cadqrpsquk7yDMjYQWi BbdvGdEOD7scfsnxznCftOSSdnyhHiBbFOC9z3yBsx2jYDnO4TE1/XaJh6CQFCUe 717vemY4FIuvIkjRliRNzgDheeSc7lGBOq9l2JRp2isGmc/GdzVJR91eSnHwxVP1 tKvMvAoDpsclI4/ZJK5/KPw5tR4dVg== =VBpB -----END PGP SIGNATURE----- --9qSeq07FszvTv7OdCj7mlhNBzLtuVXFCf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9a64e1e8-2258-379e-9ed0-4c8d8bf0aea9>