Project

General

Profile

Feature #1251

FreeBSD HA

Added by Alex MD almost 5 years ago. Updated almost 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
freebsd
Target version:
-
Start date:
02.01.2016
Due date:
Estimated time:
Resolution:

Description

Hello Everyone,

I wanted to build Strongswan 5.3.5 from ports on a FreeBSD 9.3 box, but was not able to find "HA" plugin in port options.
Please advice if Strongswan on FreeBSD supports HA.

Best regards,
Alex

History

#1 Updated by Tobias Feldhaus almost 5 years ago

AFAIK it does not work under FreeBSD as the kernel is different

#2 Updated by Alex MD almost 5 years ago

Tobias Feldhaus wrote:

AFAIK it does not work under FreeBSD as the kernel is different

Thanks for the feedback Tobias.

I built strongswan from sources with --enable-ha option. HA plugin files got created. Then installed strongswan from ports and configured HA.

Transport IPSEC connection between 2 peers cannot be created.

Peer A:

Jan 11 22:08:00 15[KNL] creating acquire job for policy 192.168.0.10/32 === 192.168.0.30/32 with reqid {1}
Jan 11 22:08:00 15[IKE] <ha|2> initiating IKE_SA ha[2] to 192.168.0.30
Jan 11 22:08:00 15[ENC] <ha|2> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Jan 11 22:08:00 15[NET] <ha|2> sending packet: from 192.168.0.10[500] to 192.168.0.30[500] (748 bytes)
Jan 11 22:08:00 13[NET] <ha|2> received packet: from 192.168.0.30[500] to 192.168.0.10[500] (36 bytes)
Jan 11 22:08:00 13[ENC] <ha|2> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jan 11 22:08:00 13[IKE] <ha|2> received NO_PROPOSAL_CHOSEN notify error

Peer B:

Jan 11 22:07:52 08[NET] <2> received packet: from 192.168.0.10[500] to 192.168.0.30[500] (748 bytes)
Jan 11 22:07:52 08[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Jan 11 22:07:52 08[IKE] <2> 192.168.0.10 is initiating an IKE_SA
Jan 11 22:07:52 08[CFG] <2> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_6/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Jan 11 22:07:52 08[CFG] <2> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256
Jan 11 22:07:52 08[IKE] <2> received proposals inacceptable
Jan 11 22:07:52 08[ENC] <2> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jan 11 22:07:52 08[NET] <2> sending packet: from 192.168.0.30[500] to 192.168.0.10[500] (36 bytes)
Jan 11 22:07:52 08[CFG] requesting HA resynchronization

The same configuration on CentOS works fine.
Please advice if there is a way to fix this.

Thank you

#3 Updated by Noel Kuntze almost 5 years ago

HA on anything but Linux (with specific, non-mainlined patches) can't work.
It relies on specific features of the Linux kernel to sync the SA replay states.

Also available in: Atom PDF