Date: Sun, 13 May 2018 01:37:21 +0200 From: Andreas Scherrer <ascherrer@gmail.com> To: freebsd-net@freebsd.org Subject: Site-to-site IPSec VPN using if_ipsec and racoon Message-ID: <951ef6f6-95d8-8832-1e7a-59fc90434029@gmail.com>
next in thread | raw e-mail | index | archive | help
Hi
I am trying to configure a site to site VPN using the (new?) if_ipsec
interfaces [1]. One endpoint is FreeBSD 11.1-RELEASE whereas the other
will be a RPi (Raspbian 9.4 stretch running libreswan).
The public IPs involved are all IPv6 and the goal is to tunnel IPv4 traffic.
Currently I am struggling with the FreeBSD side (which is using racoon
if that is relevant).
The documentation [1] states:
"When the if_ipsec interface is configured, it automatically creates
special security policies. These policies can be used to acquire
security associations from the IKE daemon, which are needed for
establishing an IPsec tunnel."
But it does not say HOW to do that.
My interpretation of [2]'s statement:
"If no security association is found, the packet is put on hold and the
IKE daemon is asked to negotiate an appropriate one."
is that it should somehow be automagic. But in my current configuration,
that does not happen. I never see FreeBSD initiate any IKE traffic
(500/udp) and 'setkey -D' always reports "No SAD entries.".
I have the 'ipsec0' interface configured and I do see the SPD entry with
'setkey -D -P [-t]':
-----
# setkey -D -P -t
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/<remote IPv6>-<local IPv6>/unique:100
spid=75 seq=3 pid=10410 scope=ifnet ifname=ipsec0
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/<remote IPv6>-<local IPv6>/unique:100
spid=77 seq=2 pid=10410 scope=ifnet ifname=ipsec0
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/<local IPv6>-<remote IPv6>/unique:100
spid=76 seq=1 pid=10410 scope=ifnet ifname=ipsec0
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/<local IPv6>-<remote IPv6>/unique:100
spid=78 seq=0 pid=10410 scope=ifnet ifname=ipsec0
refcnt=1
-----
And traffic to my test destination (192.168.112.1) is routed to 'ipsec0':
-----
# route -n show 192.168.112.1
route to: 192.168.112.1
destination: 192.168.112.0
mask: 255.255.255.0
fib: 0
interface: ipsec0
flags: <UP,DONE,STATIC>
recvpipe sendpipe ssthresh rtt,msec mtu weight expire
0 0 0 0 1400 1 0
-----
By applying some "reverse logic" to another statement in [2]:
"When a matching policy is found, the kernel will look for a
corresponding security association"
I deduct that maybe for some reason my traffic does not match the
existing policy. But I do not see (or understand) why? Any traffic
through 'ipsec0' should match that policy, no? I am under the impression
that this is one of the basic ideas of having 'ipsec0' in the first
place ("it automatically creates special security policies")?
The example on [1] uses 'setkey -c' to manually configure the SA which
is something I do not want to (and cannot) do.
Can anybody point me in the right direction (be it more documentation or
a working config example)? That would be awesome.
Best regards
andreas
Ps.: I have tried the "old" approach which I know better using 'gif'
interfaces. With that I have managed to get racoon negotiate SAs for the
same tunnel (i.e. with libreswan on the RPi). Unfortunately I cannot
wrap my head around the routing with that approach (no 'gif' on
Raspbian). And the documentation also mentions this as a limitation of
'gif' [3]: "you cannot usually use gif to talk with IPsec devices that
use IPsec tunnel mode"
[1] https://www.freebsd.org/cgi/man.cgi?query=if_ipsec
[2] https://vincent.bernat.im/en/blog/2017-route-based-vpn
[3] https://www.freebsd.org/cgi/man.cgi?query=gif
--
Stell dir vor es geht und keiner kriegt's hin.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?951ef6f6-95d8-8832-1e7a-59fc90434029>