From owner-freebsd-questions@freebsd.org Tue Feb 23 15:47:24 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5A3B0AB2409 for ; Tue, 23 Feb 2016 15:47:24 +0000 (UTC) (envelope-from jmquintanacamara@gmail.com) Received: from mail-lf0-x22f.google.com (mail-lf0-x22f.google.com [IPv6:2a00:1450:4010:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8CA94388 for ; Tue, 23 Feb 2016 15:47:23 +0000 (UTC) (envelope-from jmquintanacamara@gmail.com) Received: by mail-lf0-x22f.google.com with SMTP id 78so117802088lfy.3 for ; Tue, 23 Feb 2016 07:47:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=zUfEQgD2bywqOITuEmIWqhAyKw5TvYCcQK610PiYSqo=; b=T7CQ1jJaf1mavWmbZb3ZTP4mYmCdh43Bl4b+e6/REl21FAnQl2Rm8jJR0hIPph6HbY wBveexvCayvei0LlFU/wxoZpSc6gxLNdrVZ3A1V1gh8zFzYxgzrpcL6bMUwvYBpTsXge 0mc/tOhJZm3Gl5C+OmCfJlxFxoxPR3SaNBOmEZwXVctxkcfSLNinol8753x71Ju0jB9q Nz8g8r6+5bjzAmLYijfORKtPQQaVE4VYEtB9tDEISEl++iX9EtpmeiFsim5/CKZ06c+g eigqzmfQ5K79amUCZz7+SBmMZwqknD0Ci8RbVBcyNdEdfDdACRueJdOkP6vvIm1sLurM zwSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=zUfEQgD2bywqOITuEmIWqhAyKw5TvYCcQK610PiYSqo=; b=SkD4AUgmg+uzss3Uz6kJlS+ARroH9SSpQ32XO3TDkMoh0uuswOwLZf516w+zpUJQRN DwhLXW9kflJ7/pfDDh1Vc6oIaYltWAF/fYsFKcoBG6bPbzlv3S+8HZHf2RIlxAiUFDIj ZdXQ/SlwuMwMoC2khMPIZjvzX1rWK9Abp8mHKZTCv0ictc+WHqZORoHU1WH347Ke7QGu Bqt9TqqJyacWfzWM9QgNFbUz6J0S2HTBLEEWigTrHAvVKkAV+B0RWdV+lIel9mV46e86 vxiyOkXiuuquSN3Xe5Vw7SElQYL64AcsbW3cKa364rnWtnorQteSkXsN12wNyRqcg+V8 cpUg== X-Gm-Message-State: AG10YOQUKieqS8oM1XUJ+c5x0jhcaNOikF7oPnA0vJ/vTBs3WuqK5LzJfThnTk7OuGno59boBOZB1Abl4rCDsw== X-Received: by 10.25.16.30 with SMTP id f30mr13659659lfi.126.1456242441453; Tue, 23 Feb 2016 07:47:21 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.134.3 with HTTP; Tue, 23 Feb 2016 07:47:01 -0800 (PST) From: =?UTF-8?Q?Jos=C3=A9_Manuel_Quintana_C=C3=A1mara?= Date: Tue, 23 Feb 2016 16:47:01 +0100 Message-ID: Subject: IPSec multicast limitation? To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Feb 2016 15:47:24 -0000 Dear FreeBsd developers, I am Jose Manuel, software engineer. I got your email address from the website (https://www.freebsd.org/mailto.html). I am sorry if this is not the right place to ask my question. If so, please tell me where to do it. I write to you because I am finding some problems when using IPSec multicast mode. I hope to be clear describing my problem. I am using the network environment (file attached Network.png). [image: Im=C3=A1genes integradas 1] Firstly, I performed IP multicast communications (IP, not IPSec, just to check that multicast is working properly) sending data from PC4 to PC1 and PC2. Everything OK. Then I enabled IPSec by means of using setkey ( https://www.freebsd.org/cgi/man.cgi?query=3Dsetkey&sektion=3D8) and found: 1. with IPSec unicast communications: I found some examples for IPSec unicast in the setkey man page. I configured a pair of SAs between PC4 and PC1 in tunnel mode (between routers 1 and 4) and it worked perfectly: I see that UDP data exchanged between PC1 and PC4 is protected between routers 1 and 4 in ESP mode. I attach the file IPSec_Unicast.txt with the SAs and SPs created, working in every pair of PCs. 2. Now I have IPSec unicast working and IP multicast, let's put to work IPSec multicast together... but I found problems with it :( I have not found any multicast example in the setkey man page. Since there are no multicast examples, I wonder if setkey is only made for unicast... or the kernel is not able to do it... I found this post from a guy who says it worked using the multicast address when creating the SA ( http://security.stackexchange.com/questions/85915/ipsec-on-multicast). So, I tried in the same way, using the multicast address, to send data from PC4 to PC1 and PC2 (belonging to multicast group) and I found that the router4 received the UPD frames but it didn't output the ESP frames to the rest of routers. I attach the file IPSec_Multicast.txt with the SAs and SPs created, not sure about they are well built or not. I have the following questions: 1. is there a limitation in the FreeBSD kernel of using IPSec multicast? 2. if not, is the limitation in setkey? or maybe I am not using setkey correctly? Thank you very much in advance and congratulations for your work! Best regards, Jos=C3=A9 Manuel Quintana