IPsec VTI for Roadwarriors. reqid doesn't working for instantiating CHILD_SAs more than once.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 09 Apr 2023 07:21:15 UTC
Hi,
I'm using FreeBSD stable/13 and strongSwan 5.9. I have configured my
server as IPsec responder. Variadic number of roadwarriors are
connecting to this IPsec server. So both Phase1 and Phase2 connections
are instantiating. IPsec connections could be established without any
errors. Each roadwarrior has a network behind it.
I want to create a VTI interface for each incoming IPsec connection.
FreeBSD if_ipsec supports only "reqid" for making a relationship with
strongswan. According to the swanctl.conf, reqid doesn't change if the
connection is instantiated more then once. I tried it, but the "reqid"
is always same for all the instantiated CHILD_SAs.
On Linux, "if_id_in", "if_id_out" properties provide a solution with
IP XFRM interfaces. updown script creates a new IP XFRM interface with
an unique if_id pair provided by strongswan daemon.
Here the swanctl.conf configuration works on Linux:
connections {
phase1-listener {
local_addrs = %any
remote_addrs = %any
mobike = yes
pools = ip_pool
rekey_time = 14400s
reauth_time = 0s
local {
id = listener.ipsec
auth = psk
}
remote {
id = *.branch
auth = psk
}
children {
phase2-instantiatable {
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
updown = /etc/swanctl/updown_xfrm.sh
if_id_in = %unique
if_id_out = %unique
rekey_time = 3600s
start_action = trap
close_action = trap
dpd_action = trap
ipcomp = no
esp_proposals = aes128gcm16-prfsha1-modp2048
mode = tunnel
}
}
version = 2
dpd_delay = 0s
proposals = aes128gcm16-prfsha1-modp2048
}
}
secrets {
ike-1 {
id-1 = *.branch
secret = verycomplexsecret
}
}
pools {
ip_pool { addrs = 169.254.6.11-169.254.6.254 }
}
----------------
The updown_xfrm.sh script creates the XFRM interface with the command
template below:
ip link add "${XFRM_INTF}" type xfrm dev ${PLUTO_INTERFACE} if_id
${PLUTO_IF_ID_IN}
Is it possible to make it work on FreeBSD ?
Regards