if_ipsec(4) and IKEv1 [security/ipsec-tools, racoon.conf]
Andrey V. Elsukov
bu7cher at yandex.ru
Tue Feb 27 11:57:04 UTC 2018
On 27.02.2018 14:20, Harry Schmalzbauer wrote:
> Thank you very much for your explanation!
>
> Unfortunately, I couldn't get the P2P idea behind if_ipsec(4) and I
> tought I'd just need a few minutes to switch from policy based tunnels
> to route based – local brain contraints seem to require me much more time...
>
> My intention was to incorporate ALTQ for ESP payload.
> So my idea was, that I have if_ipsec(4) and utilize pf's queue feature.
> But I have to stop here since I need time to think about if_ipsec(4).
AFAIK, ALTQ requires some support from network driver, I think
if_ipsec(4) has not such support.
> Maybe others have similar questions, so I just post them at this point,
> and because I will have forgotten next week otherwise:
>
> Is the P2P definition (ifconfig ipsecX ipnum/mask ipnum) meant as
> transfer network?
> If so, why would I want a local IP with a mask other than 0xffffffff?
> And why should the destination belong to the same subnet in that case?
> I'm completely missing something here...
You need to specify tunnel endpoints, i.e. one IP address is your local,
that will be used as source address of ESP packets, second is remote IP
address, that will be used as destination address of ESP packet.
# ifconfig ipsec0 inet tunnel 192.168.0.3 192.168.0.5
These addresses are used by kernel to acquire needed SAs.
Since if_ipsec(4) was implemented as P2P interface (to be able use
"tunnel" keyword), you need to specify second IP address in "ifconfig
ipsecX ipnum/mask ipnum" command. You can use any mask you want and
destination address should not be from the same subnet. Specified
destination will be available trough route via this interface.
You also can add some additional routes using this destination address.
> Also, I don't understand why if_ipsec(4) generates ipsec policies
> defined as 0.0.0.0/0[any] 0.0.0.0/0[any].
> For sure, that's handled differently than the policies I'm aware about,
> because there's scope=ifnet and ifname, but I need some time to
> elaborate the reasons for the way if_ipsec(4) is how it is.
These policies are special and used to match all packets that will go
trough if_ipsec interface.
> Are there any 3rd-vendor papers, describing a similar implementation
> convention?
I don't know. AFAIK, Linux has something like this, but I'm not familiar
with linux and don't know how it works. Also, I saw that NetBSD also
added similar interface :
https://mail-index.netbsd.org/tech-net/2017/12/18/msg006557.html
It is funny, but they didn't mention that the idea was borrowed from
FreeBSD...
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20180227/25c45bb5/attachment.sig>
More information about the freebsd-net
mailing list