From owner-freebsd-net@freebsd.org Tue Feb 27 11:57:03 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A7935F3E26D for ; Tue, 27 Feb 2018 11:57:03 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward105o.mail.yandex.net (forward105o.mail.yandex.net [37.140.190.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2660A717CA for ; Tue, 27 Feb 2018 11:57:02 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback17j.mail.yandex.net (mxback17j.mail.yandex.net [IPv6:2a02:6b8:0:1619::93]) by forward105o.mail.yandex.net (Yandex) with ESMTP id 9CA3A444367C; Tue, 27 Feb 2018 14:56:59 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback17j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id Xy32SkY0Ni-uxjWNtUP; Tue, 27 Feb 2018 14:56:59 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1519732619; bh=aSzW+TFkUKoeM1Grxg8sXPBCnaOxf8wo86Y96SO+eDs=; h=Subject:To:Cc:References:From:Message-ID:Date:In-Reply-To; b=ggUU9HG27Ee8Xcv8BNBsdL17zVT94UBp4ehLczoDyrOZFx+exWMa2S6tqX0b5Suyt aW7vxNqPGMZjxBpQQ91jlPBJQd6H9zjBqAxCS+foMdUBaDqEgv6rem7O3oqiKB8r4w 2VgTBTUducQtI80uM4Fmga780XL/MBEGISKmlNE8= Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id GrP7Gi8AIY-uwk4lRxZ; Tue, 27 Feb 2018 14:56:58 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1519732618; bh=aSzW+TFkUKoeM1Grxg8sXPBCnaOxf8wo86Y96SO+eDs=; h=Subject:To:Cc:References:From:Message-ID:Date:In-Reply-To; b=iHc1ht8sJjw8ciKQi2EawMSQig950ZisgqbRHxANy53+3ZmbDeJBWK4TooZt0+BK9 9h0C80u0bRPJmmSGhwHUzhJBYApitAWyLfqsFPyfTyHfg17rFSsyQ074lzEN9h0MFw LNIRkhyHxgVmvHWvf+LFpmB2BcWkYwGKfgXmTS8c= Authentication-Results: smtp3o.mail.yandex.net; dkim=pass header.i=@yandex.ru Subject: Re: if_ipsec(4) and IKEv1 [security/ipsec-tools, racoon.conf] To: Harry Schmalzbauer Cc: freebsd-net@freebsd.org References: <5A952B38.8060007@omnilan.de> <04174d98-c35d-b88b-d0db-ac579b153c57@yandex.ru> <5A953F09.2040503@omnilan.de> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: Date: Tue, 27 Feb 2018 14:55:27 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <5A953F09.2040503@omnilan.de> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="PHbGafISQMgTUwfkRHpYO1MAid5vIarW5" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Feb 2018 11:57:04 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --PHbGafISQMgTUwfkRHpYO1MAid5vIarW5 Content-Type: multipart/mixed; boundary="a7ZtcUiXO9wX3eoFwK4gNye3ONuL0T2Ig"; protected-headers="v1" From: "Andrey V. Elsukov" To: Harry Schmalzbauer Cc: freebsd-net@freebsd.org Message-ID: Subject: Re: if_ipsec(4) and IKEv1 [security/ipsec-tools, racoon.conf] References: <5A952B38.8060007@omnilan.de> <04174d98-c35d-b88b-d0db-ac579b153c57@yandex.ru> <5A953F09.2040503@omnilan.de> In-Reply-To: <5A953F09.2040503@omnilan.de> --a7ZtcUiXO9wX3eoFwK4gNye3ONuL0T2Ig Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 27.02.2018 14:20, Harry Schmalzbauer wrote: > Thank you very much for your explanation! >=20 > Unfortunately, I couldn't get the P2P idea behind if_ipsec(4) and I > tought I'd just need a few minutes to switch from policy based tunnels > to route based =E2=80=93 local brain contraints seem to require me much= more time... >=20 > My intention was to incorporate ALTQ for ESP payload. > So my idea was, that I have if_ipsec(4) and utilize pf's queue feature.= > But I have to stop here since I need time to think about if_ipsec(4). AFAIK, ALTQ requires some support from network driver, I think if_ipsec(4) has not such support. > Maybe others have similar questions, so I just post them at this point,= > and because I will have forgotten next week otherwise: >=20 > Is the P2P definition (ifconfig ipsecX ipnum/mask ipnum) meant as > transfer network? > If so, why would I want a local IP with a mask other than 0xffffffff? > And why should the destination belong to the same subnet in that case? > I'm completely missing something here... You need to specify tunnel endpoints, i.e. one IP address is your local, that will be used as source address of ESP packets, second is remote IP address, that will be used as destination address of ESP packet. # ifconfig ipsec0 inet tunnel 192.168.0.3 192.168.0.5 These addresses are used by kernel to acquire needed SAs. Since if_ipsec(4) was implemented as P2P interface (to be able use "tunnel" keyword), you need to specify second IP address in "ifconfig ipsecX ipnum/mask ipnum" command. You can use any mask you want and destination address should not be from the same subnet. Specified destination will be available trough route via this interface. You also can add some additional routes using this destination address. > Also, I don't understand why if_ipsec(4) generates ipsec policies > defined as 0.0.0.0/0[any] 0.0.0.0/0[any]. > For sure, that's handled differently than the policies I'm aware about,= > because there's scope=3Difnet and ifname, but I need some time to > elaborate the reasons for the way if_ipsec(4) is how it is. These policies are special and used to match all packets that will go trough if_ipsec interface. > Are there any 3rd-vendor papers, describing a similar implementation > convention? I don't know. AFAIK, Linux has something like this, but I'm not familiar with linux and don't know how it works. Also, I saw that NetBSD also added similar interface : https://mail-index.netbsd.org/tech-net/2017/12/18/msg006557.html It is funny, but they didn't mention that the idea was borrowed from FreeBSD... --=20 WBR, Andrey V. Elsukov --a7ZtcUiXO9wX3eoFwK4gNye3ONuL0T2Ig-- --PHbGafISQMgTUwfkRHpYO1MAid5vIarW5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlqVRy8ACgkQAcXqBBDI oXoJeQf/fMhB9JrgtRDPUtOSuTtta7JfREqgWO6DQfXEuupgHRk5tYR0fMeA4dgj NrWETULwhItAouhT2aDccZu0uWyKDHhVpdIepxNo2uXIFvR2mUfdhfoPDXm1GURe qpRnBSiYZAhr5YY6V3FGrdwFauwHLe793qUM06qHBa5UAqCkowFQj2Klxa3R3OPr p2OpHfPVpT4O9ALFDtSJEuhWRZ+CCiF7/s6skwayRepwyTv/pt5njT9iI0RFy/9f 6khsuoNjCqE6Istdwp5KD1E0RDFyQULaOwvOBB2kKCErvm068hdaonPeCgrra8nk FJMZD6zujOp6eA1obzwmG1QJFni+pg== =/d66 -----END PGP SIGNATURE----- --PHbGafISQMgTUwfkRHpYO1MAid5vIarW5--