Date: Thu, 2 Aug 2018 08:00:09 +0200 From: Christian Mauderer <christian.mauderer@embedded-brains.de> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, Alan Somers <asomers@freebsd.org> Cc: freebsd-hackers@freebsd.org Subject: Re: Configuration for IPSec Loop-Back Test Message-ID: <b24f1af5-48d6-5322-05ae-d4c8994ecf91@embedded-brains.de> In-Reply-To: <0842B1D8-AAB9-4553-AD0B-AB710CEDB68D@lists.zabbadoz.net> References: <20127f75-c6d6-463e-046f-3844502f3da9@embedded-brains.de> <CAOtMX2hzxKHBaBtmWcLdNDiDSThGSMribQ7HeKxh%2B8qOTCB3_g@mail.gmail.com> <0842B1D8-AAB9-4553-AD0B-AB710CEDB68D@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 01.08.2018 um 18:22 schrieb Bjoern A. Zeeb: > On 1 Aug 2018, at 14:50, Alan Somers wrote: >=20 >> On Wed, Aug 1, 2018 at 7:15 AM, Christian Mauderer < >> christian.mauderer@embedded-brains.de> wrote: >> >>> Hello, >>> >>> I'm working on a port for IPSec and ipsec-tools (racoon, setkey, >>> libipsec) to an embedded operating system (RTEMS). RTEMS uses the >>> FreeBSD network stack via a compatibility layer (rtems-libbsd). >>> >>> I can already create a IPSec connection on some real hardware with so= me >>> real peer. To prevent regression in a future version, I would like to >>> add a test that would check that the port still works. That test woul= d >>> have to run on a system _without_ a real hardware peer. Therefore I >>> would like to create some IPSec loop back connection. In that case >>> racoon would have to talk to itself because I currently only support = one >>> instance. >>> >>> Do you have any hints how I could create such a network? >>> >>> My current thought would be something along a virtual network device >>> (maybe tun?) that can be connected to some other virtual network devi= ce >>> via for example a bridge device. Maybe I could then try to configure = two >>> gif-devices that would use this tunnel. racoon would have to listen o= n >>> both devices (maybe on different ports). >>> >>> Currently I have trouble setting this up. Are there any simpler ideas >>> for an IPSec loop back connection that would use most of the stack >>> layers? >>> >>> Thanks in advance for every answer. >>> >>> With kind regards >>> >>> Christian Mauderer >>> >> >> Does RTEMS support multiple FIBs?=C2=A0 In FreeBSD I've done this kind= of >> thing >> using multiple FIBs with tap(4) devices (though tun(4) might work for >> your >> use case).=C2=A0 In the FreeBSD source tree, see >> tests/sys/netinet/fibs_test.sh. >=20 >=20 > And, on FreeBSD,=C2=A0 I have used VIMAGE ( which I doubt you have ) th= ough > with two vnets in two jails talking to each other or three of them with > a middle node forwarding or five of them with two clients, two security > gateways, and a forwarding node. >=20 > /bz Thanks a lot for the answers. I had a look at both suggestions: - FIBs are currently not really implemented. Theoretically it should be possible to add them. But it would be quite some effort and it would add some code that is only used for the tests but would be always active. - Regarding VIMAGE / vnets: You are right: That part is not imported. Most likely I'll fall back to writing an example instead of an automated test. So we can still at least make sure that everything is compile-clean and it is possible to sometimes run the test manually. Best regards Christian Mauderer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b24f1af5-48d6-5322-05ae-d4c8994ecf91>