Configuration for IPSec Loop-Back Test

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Wed Aug 1 16:22:20 UTC 2018


On 1 Aug 2018, at 14:50, Alan Somers wrote:

> On Wed, Aug 1, 2018 at 7:15 AM, Christian Mauderer <
> christian.mauderer at embedded-brains.de> wrote:
>
>> Hello,
>>
>> I'm working on a port for IPSec and ipsec-tools (racoon, setkey,
>> libipsec) to an embedded operating system (RTEMS). RTEMS uses the
>> FreeBSD network stack via a compatibility layer (rtems-libbsd).
>>
>> I can already create a IPSec connection on some real hardware with 
>> some
>> real peer. To prevent regression in a future version, I would like to
>> add a test that would check that the port still works. That test 
>> would
>> have to run on a system _without_ a real hardware peer. Therefore I
>> would like to create some IPSec loop back connection. In that case
>> racoon would have to talk to itself because I currently only support 
>> one
>> instance.
>>
>> Do you have any hints how I could create such a network?
>>
>> My current thought would be something along a virtual network device
>> (maybe tun?) that can be connected to some other virtual network 
>> device
>> via for example a bridge device. Maybe I could then try to configure 
>> two
>> gif-devices that would use this tunnel. racoon would have to listen 
>> on
>> both devices (maybe on different ports).
>>
>> Currently I have trouble setting this up. Are there any simpler ideas
>> for an IPSec loop back connection that would use most of the stack 
>> layers?
>>
>> Thanks in advance for every answer.
>>
>> With kind regards
>>
>> Christian Mauderer
>>
>
> Does RTEMS support multiple FIBs?  In FreeBSD I've done this kind of 
> thing
> using multiple FIBs with tap(4) devices (though tun(4) might work for 
> your
> use case).  In the FreeBSD source tree, see 
> tests/sys/netinet/fibs_test.sh.


And, on FreeBSD,  I have used VIMAGE ( which I doubt you have ) though 
with two vnets in two jails talking to each other or three of them with 
a middle node forwarding or five of them with two clients, two security 
gateways, and a forwarding node.

/bz


More information about the freebsd-hackers mailing list