I'm working on a project that wants to establish a large number of IPSec
sockets between a FreeBSD box and some proprietary hardware. Basically,
the FreeBSD box is pretending to be a whole bunch of unique nodes with
different IPs.
We want to run an instance of racoon for each IP address. ISAKMP is
successful if we have only one instance of racoon running. As soon as we
run two, though, we run into problems. For the samples below, we're
running two instances, one for IP 192.168.1.3 and one for 192.168.1.4
Both instances are trying to talk to 192.168.0.2
We run one instance with racoon conf file:
..
listen
{
isakmp 192.168.1.3 [500];
}
..
and the other with
..
listen
{
isakmp 192.168.1.4 [500];
}
..
But when racoon starts trying to do it's thing, funny things happen with
spid numbers and which IP racoon thinks it's talking on. The instance
running for IP 192.168.1.4 shows debug output:
2004-04-21 00:34:47: DEBUG: pfkey.c:1525:pk_recvacquire(): suitable
outbound SP found: 192.168.1.3/32[0] 192.168.0.2/32[0] proto=any dir=out.
..
2004-04-21 00:34:47: DEBUG: pfkey.c:1541:pk_recvacquire(): suitable
inbound SP found: 192.168.0.2/32[0] 192.168.1.3/32[0] proto=any dir=in.
..
2004-04-21 00:34:47: DEBUG: sockmisc.c:421:sendfromto(): sockname
192.168.1.4[500]
2004-04-21 00:34:47: DEBUG: sockmisc.c:423:sendfromto(): send packet from
192.168.1.3[500]
2004-04-21 00:34:47: DEBUG: sockmisc.c:425:sendfromto(): send packet to
192.168.0.2[500]
2004-04-21 00:34:47: ERROR: sockmisc.c:553:sendfromto(): bind 1 (Address
already in use)
..
So it seems that the second instance is trying to use the SP for the
wrong IP address. And then it tries to send the first packet and
fails, which makes perfect sense because the other instance is using IP
192.168.1.3 Can anyone explaing the mismatch between sockname and
the socket that it's actually trying to send on?
Also, any ideas as to why the SP mixup is happening, or suggestions for
how to get around it?
Any help would be greatly appreciated. Thanks so much!
-Keith
kstevens@hmc.edu
******************************
In case it helps, SPD entries:
192.168.0.2[500] 192.168.1.3[500] any
in none
created: Apr 20 23:21:50 2004 lastused: Apr 20 23:21:50 2004
lifetime: 0(s) validtime: 0(s)
spid=16940 seq=7 pid=2744
refcnt=1
192.168.0.2[any] 192.168.1.3[any] any
in ipsec
esp/transport//require
created: Apr 20 23:21:50 2004 lastused: Apr 21 00:34:53 2004
lifetime: 0(s) validtime: 0(s)
spid=16942 seq=6 pid=2744
refcnt=1
192.168.0.2[500] 192.168.1.4[500] any
in none
created: Apr 20 23:21:55 2004 lastused: Apr 20 23:21:55 2004
lifetime: 0(s) validtime: 0(s)
spid=16944 seq=5 pid=2744
refcnt=1
192.168.0.2[any] 192.168.1.4[any] any
in ipsec
esp/transport//require
created: Apr 20 23:21:55 2004 lastused: Apr 20 23:21:55 2004
lifetime: 0(s) validtime: 0(s)
spid=16946 seq=4 pid=2744
refcnt=1
192.168.1.3[500] 192.168.0.2[500] any
out none
created: Apr 20 23:21:50 2004 lastused: Apr 21 00:35:41 2004
lifetime: 0(s) validtime: 0(s)
spid=16941 seq=3 pid=2744
refcnt=1
192.168.1.3[any] 192.168.0.2[any] any
out ipsec
esp/transport//require
created: Apr 20 23:21:50 2004 lastused: Apr 21 00:34:53 2004
lifetime: 0(s) validtime: 0(s)
spid=16943 seq=2 pid=2744
refcnt=1
192.168.1.4[500] 192.168.0.2[500] any
out none
created: Apr 20 23:21:55 2004 lastused: Apr 20 23:21:55 2004
lifetime: 0(s) validtime: 0(s)
spid=16945 seq=1 pid=2744
refcnt=1
192.168.1.4[any] 192.168.0.2[any] any
out ipsec
esp/transport//require
created: Apr 20 23:21:55 2004 lastused: Apr 21 00:35:07 2004
lifetime: 0(s) validtime: 0(s)
spid=16947 seq=0 pid=2744
refcnt=1