Date: Fri, 30 Nov 2018 12:22:14 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Eugene Grosbein <eugen@grosbein.net>, Lev Serebryakov <lev@FreeBSD.org>, freebsd-net@freebsd.org Subject: Re: IPsec: is it possible to encrypt transit traffic in transport mode? Message-ID: <cd4c1312-d711-a6c9-fa3e-e92175ff015e@yandex.ru> In-Reply-To: <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net> References: <1519156224.20181130021136@serebryakov.spb.ru> <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3hUJR67Og9bGQXEvoECnR5SOlc6BZL0Al Content-Type: multipart/mixed; boundary="qPjTX6hdxkdMocInya4gs3KgcnS9Q8yyC"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Eugene Grosbein <eugen@grosbein.net>, Lev Serebryakov <lev@FreeBSD.org>, freebsd-net@freebsd.org Message-ID: <cd4c1312-d711-a6c9-fa3e-e92175ff015e@yandex.ru> Subject: Re: IPsec: is it possible to encrypt transit traffic in transport mode? References: <1519156224.20181130021136@serebryakov.spb.ru> <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net> In-Reply-To: <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net> --qPjTX6hdxkdMocInya4gs3KgcnS9Q8yyC Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 30.11.2018 04:06, Eugene Grosbein wrote: >> Is it possible to encrypt this traffic with IPsec in *transport* mod= e? >> I've tried to create SAs for 10.2.0.1 and 10.2.0.2 and SPDs for 10.1.= 0.0/24 >> and 10.10.10.0/24 on A and B (not on endpoint devices) but looks like= it >> doesn't work, traffic stops. It is not as encrypted traffic is sent b= ut >> dropped on other end, no, interfaces between Host A and Host B become= s >> silent according to "tcpdump" and all forwarded/dropped/error counter= s in >> "nestat -s" don't change anymore, only "input packets" in "netstat -s= -p ip" >> is still counting. >> > It is possible and it is the way I use extensively for long time since = very old > FreeBSD versions having KAME IPSEC and it works with 11.2-STABLE, too. >=20 > You need to read setkey(8) manual page, section ALGORITHMS and make sur= e > you use proper sized keys or it won't work, though. >=20 > And example of transport mode IPSEC with low-powered device having on-b= oard > Geode LX Security Block crypto accelerator with AES-128-CBC support: >=20 > add 1.1.1.1 2.2.2.2 esp 1081 -m transport -E rijndael-cbc "123456789012= 3456" -A hmac-md5 "0123456789123456"; > add 2.2.2.2 1.1.1.1 esp 2081 -m transport -E rijndael-cbc "987654321098= 7654" -A hmac-md5 "6543219876543210"; >=20 > spdadd 1.1.1.1/32 2.2.2.2/32 any -P out ipsec esp/transport//require; > spdadd 2.2.2.2/32 1.1.1.1/32 any -P in ipsec esp/transport//require; >=20 > You have to use bigger keys if you use another -A algorithm like sha*, = each character counts for 8 bits. There is one problem. IPsec won't handle inbound packets, that are not destined to your IP address. Inbound packets are handled based on the destination address, protocol and SPI value, so if ip_input() doesn't decide that ESP packet is for your host, it will not invoke IPSEC_INPUT() and encrypted packet will be routed as is. --=20 WBR, Andrey V. Elsukov --qPjTX6hdxkdMocInya4gs3KgcnS9Q8yyC-- --3hUJR67Og9bGQXEvoECnR5SOlc6BZL0Al Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlwBAUsACgkQAcXqBBDI oXq2QggAiYYRufWOSrnYGDeMs6pLqb4HhQlHY+DZuc6zx3B4OYMqr9hzp/iODVn0 bS5ekIacpVSdf18lb19v1ft2kpf1zt7r1ZjhBukhOsCP8COLhMxTsU6FfIs/x9fZ uWRddWFLKu0N0rXI87I8Q2lmBs7xiGKGCa/hSCgtgslAI3rDkdVMvA5zPgubJ1A7 82h/1zQYjaCd5vMcWtCUN6ypxEnghUAM2VMWcPOn9T13eo5on8I6x5I98Zvaip6H YiLK+cnVH5s0NP3c+gXZI1MuhpsGGSbj685ba2t/mNn8gzYOfCK5nk4uxs3sgCE7 iVLfnv9ucC7wGPO/NWZLfDby5mbzUg== =Ke/X -----END PGP SIGNATURE----- --3hUJR67Og9bGQXEvoECnR5SOlc6BZL0Al--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cd4c1312-d711-a6c9-fa3e-e92175ff015e>