From owner-freebsd-net@freebsd.org Thu Nov 29 23:11:39 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 06197114FF20 for ; Thu, 29 Nov 2018 23:11:39 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.not-for.work (onlyone.not-for.work [IPv6:2a01:4f8:201:6350::2]) by mx1.freebsd.org (Postfix) with ESMTP id 8414687431 for ; Thu, 29 Nov 2018 23:11:38 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:dcbb:794:65b9:d67f]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.not-for.work (Postfix) with ESMTPSA id 2DA792D3D for ; Fri, 30 Nov 2018 02:11:37 +0300 (MSK) Date: Fri, 30 Nov 2018 02:11:36 +0300 From: Lev Serebryakov Organization: FreeBSD Message-ID: <1519156224.20181130021136@serebryakov.spb.ru> To: freebsd-net@freebsd.org Subject: IPsec: is it possible to encrypt transit traffic in transport mode? MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 8414687431 X-Spamd-Result: default: False [1.65 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_SPAM_LONG(0.55)[0.545,0]; NEURAL_SPAM_MEDIUM(0.53)[0.535,0]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; NEURAL_SPAM_SHORT(0.57)[0.572,0] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Nov 2018 23:11:39 -0000 Hello Freebsd-net, I have two router like this: [NET 10.1.0.0/24] <-> (10.1.0.1 HOST A 10.2.0.1) <-> (10.2.0.2 HOST B 10.10.10.1) <-> [NET 10.10.10.0/24) Both HOST A and HOST B tun FreeBSD, both are routers (forwrading is enabled), host A has "route -net 10.10.10.0/24 10.2.0.2" and host B has "route -net 10.1.0.0/24 10.2.0.1". I could pass traffic from 10.1.0.0/24 to 10.10.10.0/24 and back without problems. Now, I want to encrypt this transit traffic between routers (!) but without creation of tunnel. Is it possible to encrypt this traffic with IPsec in *transport* mode? I've tried to create SAs for 10.2.0.1 and 10.2.0.2 and SPDs for 10.1.0.0/24 and 10.10.10.0/24 on A and B (not on endpoint devices) but looks like it doesn't work, traffic stops. It is not as encrypted traffic is sent but dropped on other end, no, interfaces between Host A and Host B becomes silent according to "tcpdump" and all forwarded/dropped/error counters in "nestat -s" don't change anymore, only "input packets" in "netstat -s -p ip" is still counting. My SAs and SPDs looks like this (for UDP only, for tests): Host A: add 10.2.0.1 10.2.0.2 esp 0x10001 -m transport -E null ""; add 10.2.0.2 10.2.0.1 esp 0x10001 -m transport -E null ""; spdadd 10.1.0.0/24 10.10.10.0/24 udp -P out ipsec esp/transport//require; spdadd 10.10.10.0/24 10.1.0.0/24 udp -P in ipsec esp/transport//require; Host B: add 10.2.0.1 10.2.0.2 esp 0x10001 -m transport -E null ""; add 10.2.0.2 10.2.0.1 esp 0x10001 -m transport -E null ""; spdadd 10.10.10.0/24 10.1.0.0/24 udp -P out ipsec esp/transport//require; spdadd 10.1.0.0/24 10.10.10.0/24 udp -P in ipsec esp/transport//require; -- Best regards, Lev mailto:lev@FreeBSD.org