Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 30 Nov 2018 12:30:08 +0300
From:      Lev Serebryakov <lev@FreeBSD.org>
To:        Eugene Grosbein <eugen@grosbein.net>, freebsd-net@freebsd.org
Subject:   Re: IPsec: is it possible to encrypt transit traffic in transport mode?
Message-ID:  <881323908.20181130123008@serebryakov.spb.ru>
In-Reply-To: <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net>
References:  <1519156224.20181130021136@serebryakov.spb.ru> <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Hello Eugene,

Friday, November 30, 2018, 4:06:11 AM, you wrote:

>>  My SAs and SPDs looks like this (for UDP only, for tests):
>>
>> Host A:
>>
>> add 10.2.0.1 10.2.0.2 esp 0x10001 -m transport -E null "";
>> add 10.2.0.2 10.2.0.1 esp 0x10001 -m transport -E null "";
>>
>> spdadd 10.1.0.0/24 10.10.10.0/24 udp -P out ipsec esp/transport//require;
>> spdadd 10.10.10.0/24 10.1.0.0/24 udp -P in  ipsec esp/transport//require;
>>
>> Host B:
>>
>> add 10.2.0.1 10.2.0.2 esp 0x10001 -m transport -E null "";
>> add 10.2.0.2 10.2.0.1 esp 0x10001 -m transport -E null "";
>>
>> spdadd 10.10.10.0/24 10.1.0.0/24 udp -P out ipsec esp/transport//require;
>> spdadd 10.1.0.0/24 10.10.10.0/24 udp -P in  ipsec esp/transport//require;


> It is possible and it is the way I use extensively for long time since very old
> FreeBSD versions having KAME IPSEC and it works with 11.2-STABLE, too.
  Eugeny, please note, that your example have SA and SPDs with same
addresses. It works for me too. It doesn't work for me if SAs have addresses
of routers and SPDs have addresses of routed networks. And if SPDs have
routers' addresses, then routed traffic is not encrypted, only host-to-host
(router-to-router) are.

> You need to read setkey(8) manual page, section ALGORITHMS and make sure
> you use proper sized keys or it won't work, though.
  Yes, I know that.

> And example of transport mode IPSEC with low-powered device having on-board
> Geode LX Security Block crypto accelerator with AES-128-CBC support:

> add 1.1.1.1 2.2.2.2 esp 1081 -m transport -E rijndael-cbc
> "1234567890123456" -A hmac-md5 "0123456789123456";
> add 2.2.2.2 1.1.1.1 esp 2081 -m transport -E rijndael-cbc
> "9876543210987654" -A hmac-md5 "6543219876543210";

> spdadd 1.1.1.1/32 2.2.2.2/32 any -P out ipsec esp/transport//require;
> spdadd 2.2.2.2/32 1.1.1.1/32 any -P in ipsec  esp/transport//require;

> You have to use bigger keys if you use another -A algorithm like sha*, each character counts for 8 bits.
  Unfortunately, this example shows not what I want to achieve.


-- 
Best regards,
 Lev                            mailto:lev@FreeBSD.org




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?881323908.20181130123008>