From owner-freebsd-net@freebsd.org  Fri Nov 30 12:04:33 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 972601142318
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Fri, 30 Nov 2018 12:04:33 +0000 (UTC) (envelope-from lev@FreeBSD.org)
Received: from onlyone.not-for.work (onlyone.not-for.work
 [IPv6:2a01:4f8:201:6350::2])
 by mx1.freebsd.org (Postfix) with ESMTP id 233687F6D4
 for <freebsd-net@freebsd.org>; Fri, 30 Nov 2018 12:04:33 +0000 (UTC)
 (envelope-from lev@FreeBSD.org)
Received: from lion.home.serebryakov.spb.ru (unknown
 [IPv6:2001:470:923f:1:a885:a73d:cb1f:45d])
 (Authenticated sender: lev@serebryakov.spb.ru)
 by onlyone.not-for.work (Postfix) with ESMTPSA id 722872E07;
 Fri, 30 Nov 2018 15:04:25 +0300 (MSK)
Date: Fri, 30 Nov 2018 15:04:24 +0300
From: Lev Serebryakov <lev@FreeBSD.org>
Reply-To: Lev Serebryakov <lev@FreeBSD.org>
Organization: FreeBSD
Message-ID: <108847324.20181130150424@serebryakov.spb.ru>
To: Eugene Grosbein <eugen@grosbein.net>, freebsd-net@freebsd.org
Subject: Re: IPsec: is it possible to encrypt transit traffic in transport
 mode?
In-Reply-To: <9ae35c3c-7af8-e513-7c20-e2d62f2b7b3e@grosbein.net>
References: <1519156224.20181130021136@serebryakov.spb.ru> 
 <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net>
 <881323908.20181130123008@serebryakov.spb.ru>
 <9ae35c3c-7af8-e513-7c20-e2d62f2b7b3e@grosbein.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 233687F6D4
X-Spamd-Result: default: False [1.34 / 15.00];
 local_wl_from(0.00)[FreeBSD.org];
 NEURAL_SPAM_LONG(0.25)[0.247,0];
 NEURAL_SPAM_MEDIUM(0.52)[0.517,0];
 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE];
 NEURAL_SPAM_SHORT(0.57)[0.572,0]
X-Rspamd-Server: mx1.freebsd.org
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Nov 2018 12:04:33 -0000

Hello Eugene,

Friday, November 30, 2018, 1:28:29 PM, you wrote:

>>> It is possible and it is the way I use extensively for long time since very old
>>> FreeBSD versions having KAME IPSEC and it works with 11.2-STABLE, too.
>>   Eugeny, please note, that your example have SA and SPDs with same
>> addresses. It works for me too. It doesn't work for me if SAs have addresses
>> of routers and SPDs have addresses of routed networks. And if SPDs have
>> routers' addresses, then routed traffic is not encrypted, only host-to-host
>> (router-to-router) are.
> Just add gif(4) to the picture.
 I'm benchmarking different possible "native" VPN configurations and I have
 gif(4) and gre(4) with and without IPsec in my battery. I have tunnel mode
 IPsec too. Problem with gif(4) and gre(4) that hey are tremendously
 expensive, and could be more expensive than IPsec itself on CPUs with AES-NI.

 So, this configuration impossible, I understand. Nothing to benchmark :-)

-- 
Best regards,
 Lev                            mailto:lev@FreeBSD.org