From owner-freebsd-net@freebsd.org Fri Nov 30 09:30:11 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 26C83113BE1F for ; Fri, 30 Nov 2018 09:30:11 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.not-for.work (onlyone.not-for.work [IPv6:2a01:4f8:201:6350::2]) by mx1.freebsd.org (Postfix) with ESMTP id A711D78676 for ; Fri, 30 Nov 2018 09:30:10 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:a885:a73d:cb1f:45d]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.not-for.work (Postfix) with ESMTPSA id 715FB2DDC; Fri, 30 Nov 2018 12:30:09 +0300 (MSK) Date: Fri, 30 Nov 2018 12:30:08 +0300 From: Lev Serebryakov Reply-To: Lev Serebryakov Organization: FreeBSD Message-ID: <881323908.20181130123008@serebryakov.spb.ru> To: Eugene Grosbein , freebsd-net@freebsd.org Subject: Re: IPsec: is it possible to encrypt transit traffic in transport mode? In-Reply-To: References: <1519156224.20181130021136@serebryakov.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: A711D78676 X-Spamd-Result: default: False [1.18 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_SPAM_LONG(0.25)[0.247,0]; NEURAL_SPAM_MEDIUM(0.52)[0.517,0]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; NEURAL_SPAM_SHORT(0.41)[0.413,0] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2018 09:30:11 -0000 Hello Eugene, Friday, November 30, 2018, 4:06:11 AM, you wrote: >> My SAs and SPDs looks like this (for UDP only, for tests): >> >> Host A: >> >> add 10.2.0.1 10.2.0.2 esp 0x10001 -m transport -E null ""; >> add 10.2.0.2 10.2.0.1 esp 0x10001 -m transport -E null ""; >> >> spdadd 10.1.0.0/24 10.10.10.0/24 udp -P out ipsec esp/transport//require; >> spdadd 10.10.10.0/24 10.1.0.0/24 udp -P in ipsec esp/transport//require; >> >> Host B: >> >> add 10.2.0.1 10.2.0.2 esp 0x10001 -m transport -E null ""; >> add 10.2.0.2 10.2.0.1 esp 0x10001 -m transport -E null ""; >> >> spdadd 10.10.10.0/24 10.1.0.0/24 udp -P out ipsec esp/transport//require; >> spdadd 10.1.0.0/24 10.10.10.0/24 udp -P in ipsec esp/transport//require; > It is possible and it is the way I use extensively for long time since very old > FreeBSD versions having KAME IPSEC and it works with 11.2-STABLE, too. Eugeny, please note, that your example have SA and SPDs with same addresses. It works for me too. It doesn't work for me if SAs have addresses of routers and SPDs have addresses of routed networks. And if SPDs have routers' addresses, then routed traffic is not encrypted, only host-to-host (router-to-router) are. > You need to read setkey(8) manual page, section ALGORITHMS and make sure > you use proper sized keys or it won't work, though. Yes, I know that. > And example of transport mode IPSEC with low-powered device having on-board > Geode LX Security Block crypto accelerator with AES-128-CBC support: > add 1.1.1.1 2.2.2.2 esp 1081 -m transport -E rijndael-cbc > "1234567890123456" -A hmac-md5 "0123456789123456"; > add 2.2.2.2 1.1.1.1 esp 2081 -m transport -E rijndael-cbc > "9876543210987654" -A hmac-md5 "6543219876543210"; > spdadd 1.1.1.1/32 2.2.2.2/32 any -P out ipsec esp/transport//require; > spdadd 2.2.2.2/32 1.1.1.1/32 any -P in ipsec esp/transport//require; > You have to use bigger keys if you use another -A algorithm like sha*, each character counts for 8 bits. Unfortunately, this example shows not what I want to achieve. -- Best regards, Lev mailto:lev@FreeBSD.org