Site-to-site IPSec VPN using if_ipsec and racoon

Sat May 12 23:37:24 UTC 2018

Hi

I am trying to configure a site to site VPN using the (new?) if_ipsec 
interfaces [1]. One endpoint is FreeBSD 11.1-RELEASE whereas the other 
will be a RPi (Raspbian 9.4 stretch running libreswan).

The public IPs involved are all IPv6 and the goal is to tunnel IPv4 traffic.

Currently I am struggling with the FreeBSD side (which is using racoon 
if that is relevant).

The documentation [1] states:

"When the if_ipsec interface is configured, it automatically creates 
special security policies.  These policies can be used to acquire 
security associations from the IKE daemon, which are needed for 
establishing an IPsec tunnel."

But it does not say HOW to do that.

My interpretation of [2]'s statement:

"If no security association is found, the packet is put on hold and the 
IKE daemon is asked to negotiate an appropriate one."

is that it should somehow be automagic. But in my current configuration, 
that does not happen. I never see FreeBSD initiate any IKE traffic 
(500/udp) and 'setkey -D' always reports "No SAD entries.".

I have the 'ipsec0' interface configured and I do see the SPD entry with 
'setkey -D -P [-t]':

-----
# setkey -D -P -t
0.0.0.0/0[any] 0.0.0.0/0[any] any
  in ipsec
  esp/tunnel/<remote IPv6>-<local IPv6>/unique:100
  spid=75 seq=3 pid=10410 scope=ifnet ifname=ipsec0
  refcnt=1
::/0[any] ::/0[any] any
  in ipsec
  esp/tunnel/<remote IPv6>-<local IPv6>/unique:100
  spid=77 seq=2 pid=10410 scope=ifnet ifname=ipsec0
  refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
  out ipsec
  esp/tunnel/<local IPv6>-<remote IPv6>/unique:100
  spid=76 seq=1 pid=10410 scope=ifnet ifname=ipsec0
  refcnt=1
::/0[any] ::/0[any] any
  out ipsec
  esp/tunnel/<local IPv6>-<remote IPv6>/unique:100
  spid=78 seq=0 pid=10410 scope=ifnet ifname=ipsec0
  refcnt=1
-----

And traffic to my test destination (192.168.112.1) is routed to 'ipsec0':
-----
# route -n show 192.168.112.1
    route to: 192.168.112.1
destination: 192.168.112.0
        mask: 255.255.255.0
         fib: 0
   interface: ipsec0
       flags: <UP,DONE,STATIC>
  recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
        0         0         0         0      1400         1         0
-----

By applying some "reverse logic" to another statement in [2]:

"When a matching policy is found, the kernel will look for a 
corresponding security association"

I deduct that maybe for some reason my traffic does not match the 
existing policy. But I do not see (or understand) why? Any traffic 
through 'ipsec0' should match that policy, no? I am under the impression 
that this is one of the basic ideas of having 'ipsec0' in the first 
place ("it automatically creates special security policies")?

The example on [1] uses 'setkey -c' to manually configure the SA which 
is something I do not want to (and cannot) do.

Can anybody point me in the right direction (be it more documentation or 
a working config example)? That would be awesome.

Best regards
andreas

Ps.: I have tried the "old" approach which I know better using 'gif' 
interfaces. With that I have managed to get racoon negotiate SAs for the 
same tunnel (i.e. with libreswan on the RPi). Unfortunately I cannot 
wrap my head around the routing with that approach (no 'gif' on 
Raspbian). And the documentation also mentions this as a limitation of 
'gif' [3]: "you cannot usually use gif to talk with IPsec devices that 
use IPsec tunnel mode"

[1] https://www.freebsd.org/cgi/man.cgi?query=if_ipsec
[2] https://vincent.bernat.im/en/blog/2017-route-based-vpn
[3] https://www.freebsd.org/cgi/man.cgi?query=gif

-- 
Stell dir vor es geht und keiner kriegt's hin.