Newbie, looking for info on ipsec internals

[richard shinn]

Hello, I'm troubleshooting an issue wherein I have two device level ipsec vpn tunnels running on Mac Yosemite. I have a service that kicks off an instance of racoon to create a "private" ipsec tunnel I use to route specific traffic. I also have a Juniper Pulse Vpn client which I use as my normal remote vpn. When I run my racoon instance without being connected through the Juniper VPN, it works properly and my specific traffic is processed correctly. However, when I then connect to Juniper, my racoon instance vpn nolonger processes the traffic. I am 99% certain that the traffic is, in fact, being routed properly through my racoon tun interface. I've done a fair bit of troubleshooting to convince myself that it is not a routing issue (though I will do some more just to be sure).

I know that Juniper is producing ESP packets as well as my Racoon instance. So, what I'm suspecting is that both Racoon and Juniper will install SA/SP (Security Association/Security Policy) instances in the network stack. In theory, I believe this situation ought to work without issue and that ipsec_getpolicybyaddr() ought to return the correct SP. However, I'm wondering if there are any known issues around tunnel interactions and where/how I might find more indepth information on how things might work. I'm reading the sources, of course, but that is a slow slog and I'm also not 100% sure I'm the source for the stack that Apple is actually using (I believe they are using the FreeBSD stack).

Thanks very much for any feedback and/or pointers on where I can find more information.

 

[gkontos]

And this is related to FreeBSD in what way?

 

[richard shinn]

Apple uses the FreeBSD stack?

 

[richard shinn]

I'm asking, specifically, for information about the internals of how ipsec works in the FreeBSD implementation, since I'm 99% certain that Apple uses the FreeBSD stack, and I'm wondering whether anybody knows of any implementation reasons why the above scenario might present a problem to the FreeBSD ipsec implementation. Sorry if I did not make that clear in my post.

 

[asteriskRoss]

Some information on the FreeBSD IPsec implementation is available in the IPv6 chapter of the Developer's Handbook. You may be able to find information about the KAME stack, on which the FreeBSD implementation was based, on the old KAME project website. Whether any of this is relevant to Apple's IPsec implementation on OS X I will let you decide! Perhaps Apple's OS X development forum would be more relevant to your needs?

Should you choose to abandon OS X and instead configure your IPsec tunnels on a FreeBSD box, the FreeBSD handbook has a section on configuring them.

 

[gkontos]

Apple uses the FreeBSD stack?

To some extend but Yosemite is really far off. I am not sure about the IPSEC implementation but I think it is different.

 

[richard shinn]

Ahh. got it. Ok. Thanks very much for the feedback.

 

[SirDice]

I'm sorry, we don't even support the 'derivatives' of FreeBSD, let alone OS-X.

I'm closing this thread. You can submit a new one if the issue happens on a vanilla FreeBSD system.

Thread pc-bsd-freenas-nas4free-and-all-other-freebsd-derivatives.7290