Configuration for IPSec Loop-Back Test
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Wed Aug 1 16:22:20 UTC 2018
On 1 Aug 2018, at 14:50, Alan Somers wrote:
> On Wed, Aug 1, 2018 at 7:15 AM, Christian Mauderer <
> christian.mauderer at embedded-brains.de> wrote:
>
>> Hello,
>>
>> I'm working on a port for IPSec and ipsec-tools (racoon, setkey,
>> libipsec) to an embedded operating system (RTEMS). RTEMS uses the
>> FreeBSD network stack via a compatibility layer (rtems-libbsd).
>>
>> I can already create a IPSec connection on some real hardware with
>> some
>> real peer. To prevent regression in a future version, I would like to
>> add a test that would check that the port still works. That test
>> would
>> have to run on a system _without_ a real hardware peer. Therefore I
>> would like to create some IPSec loop back connection. In that case
>> racoon would have to talk to itself because I currently only support
>> one
>> instance.
>>
>> Do you have any hints how I could create such a network?
>>
>> My current thought would be something along a virtual network device
>> (maybe tun?) that can be connected to some other virtual network
>> device
>> via for example a bridge device. Maybe I could then try to configure
>> two
>> gif-devices that would use this tunnel. racoon would have to listen
>> on
>> both devices (maybe on different ports).
>>
>> Currently I have trouble setting this up. Are there any simpler ideas
>> for an IPSec loop back connection that would use most of the stack
>> layers?
>>
>> Thanks in advance for every answer.
>>
>> With kind regards
>>
>> Christian Mauderer
>>
>
> Does RTEMS support multiple FIBs? In FreeBSD I've done this kind of
> thing
> using multiple FIBs with tap(4) devices (though tun(4) might work for
> your
> use case). In the FreeBSD source tree, see
> tests/sys/netinet/fibs_test.sh.
And, on FreeBSD, I have used VIMAGE ( which I doubt you have ) though
with two vnets in two jails talking to each other or three of them with
a middle node forwarding or five of them with two clients, two security
gateways, and a forwarding node.
/bz
More information about the freebsd-hackers
mailing list