From owner-freebsd-hackers@freebsd.org  Wed Aug  1 16:22:20 2018
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 17A7B10626BF
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Wed,  1 Aug 2018 16:22:20 +0000 (UTC)
 (envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id A751B7BC0C;
 Wed,  1 Aug 2018 16:22:19 +0000 (UTC)
 (envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587])
 (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.sbone.de (Postfix) with ESMTPS id 8459D25D3A6D;
 Wed,  1 Aug 2018 16:22:17 +0000 (UTC)
Received: from content-filter.sbone.de (content-filter.sbone.de
 [IPv6:fde9:577b:c1a9:31::2013:2742])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mail.sbone.de (Postfix) with ESMTPS id D1DDED1F84E;
 Wed,  1 Aug 2018 16:22:16 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sbone.de
Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587])
 by content-filter.sbone.de (content-filter.sbone.de
 [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024)
 with ESMTP id Gql_bVDU5Qd8; Wed,  1 Aug 2018 16:22:15 +0000 (UTC)
Received: from [192.168.124.1] (unknown
 [IPv6:fde9:577b:c1a9:31:2ef0:eeff:fe03:ee34])
 (using TLSv1 with cipher AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mail.sbone.de (Postfix) with ESMTPSA id 2CF12D1F835;
 Wed,  1 Aug 2018 16:22:15 +0000 (UTC)
From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: "Alan Somers" <asomers@freebsd.org>
Cc: "Christian Mauderer" <christian.mauderer@embedded-brains.de>,
 freebsd-hackers@freebsd.org
Subject: Re: Configuration for IPSec Loop-Back Test
Date: Wed, 01 Aug 2018 16:22:14 +0000
X-Mailer: MailMate (2.0BETAr6116)
Message-ID: <0842B1D8-AAB9-4553-AD0B-AB710CEDB68D@lists.zabbadoz.net>
In-Reply-To: <CAOtMX2hzxKHBaBtmWcLdNDiDSThGSMribQ7HeKxh+8qOTCB3_g@mail.gmail.com>
References: <20127f75-c6d6-463e-046f-3844502f3da9@embedded-brains.de>
 <CAOtMX2hzxKHBaBtmWcLdNDiDSThGSMribQ7HeKxh+8qOTCB3_g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Aug 2018 16:22:20 -0000

On 1 Aug 2018, at 14:50, Alan Somers wrote:

> On Wed, Aug 1, 2018 at 7:15 AM, Christian Mauderer <
> christian.mauderer@embedded-brains.de> wrote:
>
>> Hello,
>>
>> I'm working on a port for IPSec and ipsec-tools (racoon, setkey,
>> libipsec) to an embedded operating system (RTEMS). RTEMS uses the
>> FreeBSD network stack via a compatibility layer (rtems-libbsd).
>>
>> I can already create a IPSec connection on some real hardware with 
>> some
>> real peer. To prevent regression in a future version, I would like to
>> add a test that would check that the port still works. That test 
>> would
>> have to run on a system _without_ a real hardware peer. Therefore I
>> would like to create some IPSec loop back connection. In that case
>> racoon would have to talk to itself because I currently only support 
>> one
>> instance.
>>
>> Do you have any hints how I could create such a network?
>>
>> My current thought would be something along a virtual network device
>> (maybe tun?) that can be connected to some other virtual network 
>> device
>> via for example a bridge device. Maybe I could then try to configure 
>> two
>> gif-devices that would use this tunnel. racoon would have to listen 
>> on
>> both devices (maybe on different ports).
>>
>> Currently I have trouble setting this up. Are there any simpler ideas
>> for an IPSec loop back connection that would use most of the stack 
>> layers?
>>
>> Thanks in advance for every answer.
>>
>> With kind regards
>>
>> Christian Mauderer
>>
>
> Does RTEMS support multiple FIBs?  In FreeBSD I've done this kind of 
> thing
> using multiple FIBs with tap(4) devices (though tun(4) might work for 
> your
> use case).  In the FreeBSD source tree, see 
> tests/sys/netinet/fibs_test.sh.


And, on FreeBSD,  I have used VIMAGE ( which I doubt you have ) though 
with two vnets in two jails talking to each other or three of them with 
a middle node forwarding or five of them with two clients, two security 
gateways, and a forwarding node.

/bz