Date: Tue, 23 Feb 2016 16:48:16 +0100 From: =?UTF-8?Q?Jos=C3=A9_Manuel_Quintana_C=C3=A1mara?= <jmquintanacamara@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: IPSec multicast limitation? Message-ID: <CADcMciA7LQiVvX7y4k7gyuxQqtH=K=dNK2U7q=1hvPMvn=CLCw@mail.gmail.com> In-Reply-To: <CADcMciBU%2B1Xyr9D-6HL95rsaMHREkJHb2L-F_70nPejyyec6sQ@mail.gmail.com> References: <CADcMciBU%2B1Xyr9D-6HL95rsaMHREkJHb2L-F_70nPejyyec6sQ@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Sorry, I forgot to attach the files. Now they are. 2016-02-23 16:47 GMT+01:00 José Manuel Quintana Cámara < jmquintanacamara@gmail.com>: > Dear FreeBsd developers, > > I am Jose Manuel, software engineer. I got your email address from the > website (https://www.freebsd.org/mailto.html). I am sorry if this is not > the right place to ask my question. If so, please tell me where to do it. > > I write to you because I am finding some problems when using IPSec > multicast mode. I hope to be clear describing my problem. > > I am using the network environment (file attached Network.png). > [image: Imágenes integradas 1] > Firstly, I performed IP multicast communications (IP, not IPSec, just to > check that multicast is working properly) sending data from PC4 to PC1 and > PC2. Everything OK. > > Then I enabled IPSec by means of using setkey ( > https://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8) and found: > 1. with IPSec unicast communications: I found some examples for IPSec > unicast in the setkey man page. I configured a pair of SAs between PC4 and > PC1 in tunnel mode (between routers 1 and 4) and it worked perfectly: I see > that UDP data exchanged between PC1 and PC4 is protected between routers 1 > and 4 in ESP mode. I attach the file IPSec_Unicast.txt with the SAs and SPs > created, working in every pair of PCs. > > 2. Now I have IPSec unicast working and IP multicast, let's put to work > IPSec multicast together... but I found problems with it :( > I have not found any multicast example in the setkey man page. Since there > are no multicast examples, I wonder if setkey is only made for unicast... > or the kernel is not able to do it... > I found this post from a guy who says it worked using the multicast > address when creating the SA ( > http://security.stackexchange.com/questions/85915/ipsec-on-multicast). > So, I tried in the same way, using the multicast address, to send data from > PC4 to PC1 and PC2 (belonging to multicast group) and I found that the > router4 received the UPD frames but it didn't output the ESP frames to the > rest of routers. I attach the file IPSec_Multicast.txt with the SAs and SPs > created, not sure about they are well built or not. > > I have the following questions: > 1. is there a limitation in the FreeBSD kernel of using IPSec multicast? > 2. if not, is the limitation in setkey? or maybe I am not using setkey > correctly? > > Thank you very much in advance and congratulations for your work! > > Best regards, > José Manuel Quintana > [-- Attachment #2 --] --------------------------- router1 --------------------------- #multicast RECEIVER add 10.0.4.20 239.1.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; spdadd 10.0.4.20 239.1.1.1 any -P in ipsec esp/tunnel/10.0.4.20-239.1.1.1/require ; --------------------------- router2 --------------------------- #multicast RECEIVER add 10.0.4.20 239.1.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; spdadd 10.0.4.20 239.1.1.1 any -P in ipsec esp/tunnel/10.0.4.20-239.1.1.1/require ; --------------------------- router3 --------------------------- #multicast RECEIVER add 10.0.4.20 239.1.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; spdadd 10.0.4.20 239.1.1.1 any -P in ipsec esp/tunnel/10.0.4.20-239.1.1.1/require ; --------------------------- router4 --------------------------- #multicast SENDER add 10.0.4.20 239.1.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; spdadd 10.0.4.20 239.1.1.1 any -P out ipsec esp/tunnel/10.0.4.20-239.1.1.1/require ; [-- Attachment #3 --] --------------------------- router1 --------------------------- #router1 - router2 add 10.0.1.1 10.0.1.2 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ; add 10.0.1.2 10.0.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; spdadd 10.0.0.0/24 10.0.2.0/24 any -P out ipsec esp/tunnel/10.0.1.1-10.0.1.2/require ; #router1 - router3 add 10.0.1.1 10.0.1.3 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ; add 10.0.1.3 10.0.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; spdadd 10.0.0.0/24 10.0.3.0/24 any -P out ipsec esp/tunnel/10.0.1.1-10.0.1.3/require ; #router1 - router4 add 10.0.1.1 10.0.1.4 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ; add 10.0.1.4 10.0.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; spdadd 10.0.0.0/24 10.0.4.0/24 any -P out ipsec esp/tunnel/10.0.1.1-10.0.1.4/require ; --------------------------- router2 --------------------------- #router2 - router1 add 10.0.1.2 10.0.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; add 10.0.1.1 10.0.1.2 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ; spdadd 10.0.2.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/10.0.1.2-10.0.1.1/require ; #router2 - router3 add 10.0.1.2 10.0.1.3 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; add 10.0.1.3 10.0.1.2 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ; spdadd 10.0.2.0/24 10.0.3.0/24 any -P out ipsec esp/tunnel/10.0.1.2-10.0.1.3/require ; #router2 - router4 add 10.0.1.2 10.0.1.4 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; add 10.0.1.4 10.0.1.2 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ; spdadd 10.0.2.0/24 10.0.4.0/24 any -P out ipsec esp/tunnel/10.0.1.2-10.0.1.4/require ; --------------------------- router3 --------------------------- #router3 - router1 add 10.0.1.3 10.0.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; add 10.0.1.1 10.0.1.3 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ; spdadd 10.0.3.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/10.0.1.3-10.0.1.1/require ; #router3 - router2 add 10.0.1.3 10.0.1.2 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; add 10.0.1.2 10.0.1.3 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ; spdadd 10.0.3.0/24 10.0.2.0/24 any -P out ipsec esp/tunnel/10.0.1.3-10.0.1.2/require ; #router3 - router4 add 10.0.1.3 10.0.1.4 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; add 10.0.1.4 10.0.1.3 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ; spdadd 10.0.3.0/24 10.0.4.0/24 any -P out ipsec esp/tunnel/10.0.1.3-10.0.1.4/require ; --------------------------- router4 --------------------------- #router4 - router1 add 10.0.1.4 10.0.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; add 10.0.1.1 10.0.1.4 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ; spdadd 10.0.4.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/10.0.1.4-10.0.1.1/require ; #router4 - router2 add 10.0.1.4 10.0.1.2 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; add 10.0.1.2 10.0.1.4 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ; spdadd 10.0.4.0/24 10.0.2.0/24 any -P out ipsec esp/tunnel/10.0.1.4-10.0.1.2/require ; #router4 - router3 add 10.0.1.4 10.0.1.3 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; add 10.0.1.3 10.0.1.4 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ; spdadd 10.0.4.0/24 10.0.3.0/24 any -P out ipsec esp/tunnel/10.0.1.4-10.0.1.3/require ;help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADcMciA7LQiVvX7y4k7gyuxQqtH=K=dNK2U7q=1hvPMvn=CLCw>