Date: Fri, 30 Nov 2018 15:04:24 +0300 From: Lev Serebryakov <lev@FreeBSD.org> To: Eugene Grosbein <eugen@grosbein.net>, freebsd-net@freebsd.org Subject: Re: IPsec: is it possible to encrypt transit traffic in transport mode? Message-ID: <108847324.20181130150424@serebryakov.spb.ru> In-Reply-To: <9ae35c3c-7af8-e513-7c20-e2d62f2b7b3e@grosbein.net> References: <1519156224.20181130021136@serebryakov.spb.ru> <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net> <881323908.20181130123008@serebryakov.spb.ru> <9ae35c3c-7af8-e513-7c20-e2d62f2b7b3e@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Eugene, Friday, November 30, 2018, 1:28:29 PM, you wrote: >>> It is possible and it is the way I use extensively for long time since very old >>> FreeBSD versions having KAME IPSEC and it works with 11.2-STABLE, too. >> Eugeny, please note, that your example have SA and SPDs with same >> addresses. It works for me too. It doesn't work for me if SAs have addresses >> of routers and SPDs have addresses of routed networks. And if SPDs have >> routers' addresses, then routed traffic is not encrypted, only host-to-host >> (router-to-router) are. > Just add gif(4) to the picture. I'm benchmarking different possible "native" VPN configurations and I have gif(4) and gre(4) with and without IPsec in my battery. I have tunnel mode IPsec too. Problem with gif(4) and gre(4) that hey are tremendously expensive, and could be more expensive than IPsec itself on CPUs with AES-NI. So, this configuration impossible, I understand. Nothing to benchmark :-) -- Best regards, Lev mailto:lev@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?108847324.20181130150424>