Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 30 Nov 2018 02:11:36 +0300
From:      Lev Serebryakov <lev@FreeBSD.org>
To:        freebsd-net@freebsd.org
Subject:   IPsec: is it possible to encrypt transit traffic in transport mode?
Message-ID:  <1519156224.20181130021136@serebryakov.spb.ru>
next in thread | raw e-mail | index | archive | help 
Hello Freebsd-net,

 I have two router like this:

[NET 10.1.0.0/24] <-> (10.1.0.1 HOST A 10.2.0.1)
  <->
(10.2.0.2 HOST B 10.10.10.1) <-> [NET 10.10.10.0/24)

 Both HOST A and HOST B tun FreeBSD, both are routers (forwrading is
 enabled), host A has "route -net 10.10.10.0/24 10.2.0.2" and host B has
 "route -net 10.1.0.0/24 10.2.0.1".

  I could pass traffic from 10.1.0.0/24 to 10.10.10.0/24 and back without
 problems.

  Now, I want to encrypt this transit traffic between routers (!) but
 without creation of tunnel.

  Is it possible to encrypt this traffic with IPsec in *transport* mode?
 I've tried to create SAs for 10.2.0.1 and 10.2.0.2 and SPDs for 10.1.0.0/24
 and 10.10.10.0/24 on A and B (not on endpoint devices) but looks like it
 doesn't work, traffic stops. It is not as encrypted traffic is sent but
 dropped on other end, no, interfaces between Host A and Host B becomes
 silent according to "tcpdump" and all forwarded/dropped/error counters in
 "nestat -s" don't change anymore, only "input packets" in "netstat -s -p ip"
 is still counting.

 My SAs and SPDs looks like this (for UDP only, for tests):

Host A:

add 10.2.0.1 10.2.0.2 esp 0x10001 -m transport -E null "";
add 10.2.0.2 10.2.0.1 esp 0x10001 -m transport -E null "";

spdadd 10.1.0.0/24 10.10.10.0/24 udp -P out ipsec esp/transport//require;
spdadd 10.10.10.0/24 10.1.0.0/24 udp -P in  ipsec esp/transport//require;

Host B:

add 10.2.0.1 10.2.0.2 esp 0x10001 -m transport -E null "";
add 10.2.0.2 10.2.0.1 esp 0x10001 -m transport -E null "";

spdadd 10.10.10.0/24 10.1.0.0/24 udp -P out ipsec esp/transport//require;
spdadd 10.1.0.0/24 10.10.10.0/24 udp -P in  ipsec esp/transport//require;



-- 
Best regards,
 Lev                          mailto:lev@FreeBSD.org

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1519156224.20181130021136>