Date: Tue, 27 Feb 2018 14:55:27 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Harry Schmalzbauer <freebsd@omnilan.de> Cc: freebsd-net@freebsd.org Subject: Re: if_ipsec(4) and IKEv1 [security/ipsec-tools, racoon.conf] Message-ID: <b382d01e-7f27-81e0-beba-4fe6009c3815@yandex.ru> In-Reply-To: <5A953F09.2040503@omnilan.de> References: <5A952B38.8060007@omnilan.de> <04174d98-c35d-b88b-d0db-ac579b153c57@yandex.ru> <5A953F09.2040503@omnilan.de>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --PHbGafISQMgTUwfkRHpYO1MAid5vIarW5 Content-Type: multipart/mixed; boundary="a7ZtcUiXO9wX3eoFwK4gNye3ONuL0T2Ig"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Harry Schmalzbauer <freebsd@omnilan.de> Cc: freebsd-net@freebsd.org Message-ID: <b382d01e-7f27-81e0-beba-4fe6009c3815@yandex.ru> Subject: Re: if_ipsec(4) and IKEv1 [security/ipsec-tools, racoon.conf] References: <5A952B38.8060007@omnilan.de> <04174d98-c35d-b88b-d0db-ac579b153c57@yandex.ru> <5A953F09.2040503@omnilan.de> In-Reply-To: <5A953F09.2040503@omnilan.de> --a7ZtcUiXO9wX3eoFwK4gNye3ONuL0T2Ig Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 27.02.2018 14:20, Harry Schmalzbauer wrote: > Thank you very much for your explanation! >=20 > Unfortunately, I couldn't get the P2P idea behind if_ipsec(4) and I > tought I'd just need a few minutes to switch from policy based tunnels > to route based =E2=80=93 local brain contraints seem to require me much= more time... >=20 > My intention was to incorporate ALTQ for ESP payload. > So my idea was, that I have if_ipsec(4) and utilize pf's queue feature.= > But I have to stop here since I need time to think about if_ipsec(4). AFAIK, ALTQ requires some support from network driver, I think if_ipsec(4) has not such support. > Maybe others have similar questions, so I just post them at this point,= > and because I will have forgotten next week otherwise: >=20 > Is the P2P definition (ifconfig ipsecX ipnum/mask ipnum) meant as > transfer network? > If so, why would I want a local IP with a mask other than 0xffffffff? > And why should the destination belong to the same subnet in that case? > I'm completely missing something here... You need to specify tunnel endpoints, i.e. one IP address is your local, that will be used as source address of ESP packets, second is remote IP address, that will be used as destination address of ESP packet. # ifconfig ipsec0 inet tunnel 192.168.0.3 192.168.0.5 These addresses are used by kernel to acquire needed SAs. Since if_ipsec(4) was implemented as P2P interface (to be able use "tunnel" keyword), you need to specify second IP address in "ifconfig ipsecX ipnum/mask ipnum" command. You can use any mask you want and destination address should not be from the same subnet. Specified destination will be available trough route via this interface. You also can add some additional routes using this destination address. > Also, I don't understand why if_ipsec(4) generates ipsec policies > defined as 0.0.0.0/0[any] 0.0.0.0/0[any]. > For sure, that's handled differently than the policies I'm aware about,= > because there's scope=3Difnet and ifname, but I need some time to > elaborate the reasons for the way if_ipsec(4) is how it is. These policies are special and used to match all packets that will go trough if_ipsec interface. > Are there any 3rd-vendor papers, describing a similar implementation > convention? I don't know. AFAIK, Linux has something like this, but I'm not familiar with linux and don't know how it works. Also, I saw that NetBSD also added similar interface : https://mail-index.netbsd.org/tech-net/2017/12/18/msg006557.html It is funny, but they didn't mention that the idea was borrowed from FreeBSD... --=20 WBR, Andrey V. Elsukov --a7ZtcUiXO9wX3eoFwK4gNye3ONuL0T2Ig-- --PHbGafISQMgTUwfkRHpYO1MAid5vIarW5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlqVRy8ACgkQAcXqBBDI oXoJeQf/fMhB9JrgtRDPUtOSuTtta7JfREqgWO6DQfXEuupgHRk5tYR0fMeA4dgj NrWETULwhItAouhT2aDccZu0uWyKDHhVpdIepxNo2uXIFvR2mUfdhfoPDXm1GURe qpRnBSiYZAhr5YY6V3FGrdwFauwHLe793qUM06qHBa5UAqCkowFQj2Klxa3R3OPr p2OpHfPVpT4O9ALFDtSJEuhWRZ+CCiF7/s6skwayRepwyTv/pt5njT9iI0RFy/9f 6khsuoNjCqE6Istdwp5KD1E0RDFyQULaOwvOBB2kKCErvm068hdaonPeCgrra8nk FJMZD6zujOp6eA1obzwmG1QJFni+pg== =/d66 -----END PGP SIGNATURE----- --PHbGafISQMgTUwfkRHpYO1MAid5vIarW5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b382d01e-7f27-81e0-beba-4fe6009c3815>