Discussion:
Strongswan on NetBSD and pfkey extensions
(too old to reply)
Valtteri Vuorikoski
2020-06-22 15:25:21 UTC
Permalink
I have been testing the Strongswan IKE daemon on NetBSD 9.0, and the
good news is that it compiles and works (with a few caveats) with a
couple of #ifdefs to the pfkey module.

The pfkey module is expecting to find the following PF_KEY extensions which
apparently are present on FreeBSD:

#define SADB_X_EXT_SA_REPLAY 26 /* Replay window override. */
#define SADB_X_EXT_NEW_ADDRESS_SRC 27
#define SADB_X_EXT_NEW_ADDRESS_DST 28

While the daemon works well enough without them, they would be nice to have.
Is anyone working on porting these over?

Also the warning "unable to query policy dead::beef/128 ===
beef::dead/128 in: kernel reports no use time" is logged even after
enabling FreeBSD workaround which always sets SADB_EXT_LIFETIME_HARD to
LONG_MAX if nothing else is configured. Is SADB_EXT_LIFETIME_CURRENT
expected to work? Looks like "setkey -DP" doesn't show anything either
(setkey on Linux shows lifetime stuff).

Caveats:
* Only IPv6 transport mode with IKEv2 tested so far. I might give v4/v6 tunnel
modes a spin later on.
* IPv6 source address selection incorrectly uses link-local address
as source unless source is manually set in config, but I think this is broken
on all pfroute platforms: proper address selection code only exists
in the netlink module.

-vuori

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Greg Troxel
2020-06-22 16:05:38 UTC
Permalink
Post by Valtteri Vuorikoski
I have been testing the Strongswan IKE daemon on NetBSD 9.0, and the
good news is that it compiles and works (with a few caveats) with a
couple of #ifdefs to the pfkey module.
That's good to hear. Asssuming that belongs in pkgsrc, it would be great
to get that (and patches) into wip.
Post by Valtteri Vuorikoski
The pfkey module is expecting to find the following PF_KEY extensions which
#define SADB_X_EXT_SA_REPLAY 26 /* Replay window override. */
#define SADB_X_EXT_NEW_ADDRESS_SRC 27
#define SADB_X_EXT_NEW_ADDRESS_DST 28
While the daemon works well enough without them, they would be nice to have.
Is anyone working on porting these over?
I have not heard of anyone doing that.
Post by Valtteri Vuorikoski
Also the warning "unable to query policy dead::beef/128 ===
beef::dead/128 in: kernel reports no use time" is logged even after
enabling FreeBSD workaround which always sets SADB_EXT_LIFETIME_HARD to
LONG_MAX if nothing else is configured. Is SADB_EXT_LIFETIME_CURRENT
expected to work? Looks like "setkey -DP" doesn't show anything either
(setkey on Linux shows lifetime stuff).
It's been a long time and I don't remember. I'm afraid you'll have to
read the code.
Post by Valtteri Vuorikoski
* Only IPv6 transport mode with IKEv2 tested so far. I might give v4/v6 tunnel
modes a spin later on.
* IPv6 source address selection incorrectly uses link-local address
as source unless source is manually set in config, but I think this is broken
on all pfroute platforms: proper address selection code only exists
in the netlink module.
Anything you can fix upstream is even better.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Valtteri Vuorikoski
2020-06-22 16:46:48 UTC
Permalink
Post by Greg Troxel
Post by Valtteri Vuorikoski
I have been testing the Strongswan IKE daemon on NetBSD 9.0, and the
good news is that it compiles and works (with a few caveats) with a
couple of #ifdefs to the pfkey module.
That's good to hear. Asssuming that belongs in pkgsrc, it would be great
to get that (and patches) into wip.
Yeah, I was thinking about that earlier. The problem is that Strongswan
is currently a packaging nightmare. It has two configuration frontends
and you need to select one at startup: the legacy ipsec.conf one (that
no one should use but probably a lot of people want to use) or the new
swanctl one (which is a lot saner but probably few people know how to
use it). Furthermore, using the swanctl frontend pretty much requires a
service supervisor such as systemd or daemontools.

I'll try to gather strength to deal with that mess after dealing with
the functional issues. Shipping the ipsec.conf frontend may be the path
of least resistance. Current Linuxen seem to usually split Strongswan
into multiple packages to deal with the choice.
Post by Greg Troxel
Post by Valtteri Vuorikoski
* Only IPv6 transport mode with IKEv2 tested so far. I might give v4/v6 tunnel
modes a spin later on.
* IPv6 source address selection incorrectly uses link-local address
as source unless source is manually set in config, but I think this is broken
on all pfroute platforms: proper address selection code only exists
in the netlink module.
Anything you can fix upstream is even better.
I'm planning to put together a simple patch for the pfroute source
address issue and open a ticket upstream since it has been annoying me
on Darwin too for a while.

If I manage to get that working, I'll try to push the pfkey ifdefs
upstream too. It's entirely possible that those will have to stay around
as pkgsrc patches though, since upstream may not want to take
responsibility for NetBSD-specific bits without a definite maintainer
commitment.

-vuori


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...