Date: Tue, 23 Feb 2016 16:47:01 +0100 From: =?UTF-8?Q?Jos=C3=A9_Manuel_Quintana_C=C3=A1mara?= <jmquintanacamara@gmail.com> To: freebsd-questions@freebsd.org Subject: IPSec multicast limitation? Message-ID: <CADcMciBU%2B1Xyr9D-6HL95rsaMHREkJHb2L-F_70nPejyyec6sQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Dear FreeBsd developers, I am Jose Manuel, software engineer. I got your email address from the website (https://www.freebsd.org/mailto.html). I am sorry if this is not the right place to ask my question. If so, please tell me where to do it. I write to you because I am finding some problems when using IPSec multicast mode. I hope to be clear describing my problem. I am using the network environment (file attached Network.png). [image: Im=C3=A1genes integradas 1] Firstly, I performed IP multicast communications (IP, not IPSec, just to check that multicast is working properly) sending data from PC4 to PC1 and PC2. Everything OK. Then I enabled IPSec by means of using setkey ( https://www.freebsd.org/cgi/man.cgi?query=3Dsetkey&sektion=3D8) and found: 1. with IPSec unicast communications: I found some examples for IPSec unicast in the setkey man page. I configured a pair of SAs between PC4 and PC1 in tunnel mode (between routers 1 and 4) and it worked perfectly: I see that UDP data exchanged between PC1 and PC4 is protected between routers 1 and 4 in ESP mode. I attach the file IPSec_Unicast.txt with the SAs and SPs created, working in every pair of PCs. 2. Now I have IPSec unicast working and IP multicast, let's put to work IPSec multicast together... but I found problems with it :( I have not found any multicast example in the setkey man page. Since there are no multicast examples, I wonder if setkey is only made for unicast... or the kernel is not able to do it... I found this post from a guy who says it worked using the multicast address when creating the SA ( http://security.stackexchange.com/questions/85915/ipsec-on-multicast). So, I tried in the same way, using the multicast address, to send data from PC4 to PC1 and PC2 (belonging to multicast group) and I found that the router4 received the UPD frames but it didn't output the ESP frames to the rest of routers. I attach the file IPSec_Multicast.txt with the SAs and SPs created, not sure about they are well built or not. I have the following questions: 1. is there a limitation in the FreeBSD kernel of using IPSec multicast? 2. if not, is the limitation in setkey? or maybe I am not using setkey correctly? Thank you very much in advance and congratulations for your work! Best regards, Jos=C3=A9 Manuel Quintana
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADcMciBU%2B1Xyr9D-6HL95rsaMHREkJHb2L-F_70nPejyyec6sQ>