Is if_ipsec/ipsec - AESNI accelerated ?
Andrey V. Elsukov
bu7cher at yandex.ru
Thu Aug 9 20:56:31 UTC 2018
On 09.08.2018 23:11, David P. Discher wrote:
> The documentation for using IPSec (especially if_ipsec) is really thin
> for freebsd, so I pieced some of this together from various posts and
> mailing lists threads.
>
> Is there no need for racoon ? How in this example is the IKE/ISAKMP
> setup done ? Is setkey doing this ?
> This is 11.2-stable, shortly after release … I don’t have this sysctl.
This is manually configured tunnel between two FreeBSD 12.0-CURRENT
hosts. I can suggest to try patch and config from this post:
https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html
>> Need to see your setkey.conf, or at least the output of setkey -D..
>
>
> setkey.conf is :
>
> flush;
> spdflush;
>
> spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P out ipsec
> esp/tunnel/10.245.0.201-10.245.0.202/unique:12;
> spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P in ipsec
> esp/tunnel/10.245.0.202-10.245.0.201/unique:12;
> spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P out ipsec
> esp/tunnel/10.245.0.201-10.245.0.203/unique:4;
> spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P in ipsec
> esp/tunnel/10.245.0.203-10.245.0.201/unique:4;
You don't need to create security policies for if_ipsec interfaces. They
are created by interface automatically.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20180809/52106bec/attachment.sig>
More information about the freebsd-net
mailing list