IPsec: is it possible to encrypt transit traffic in transport mode?

Fri Nov 30 01:06:37 UTC 2018

30.11.2018 6:11, Lev Serebryakov wrote:

>  I have two router like this:
> 
> [NET 10.1.0.0/24] <-> (10.1.0.1 HOST A 10.2.0.1)
>   <->
> (10.2.0.2 HOST B 10.10.10.1) <-> [NET 10.10.10.0/24)
> 
>  Both HOST A and HOST B tun FreeBSD, both are routers (forwrading is
>  enabled), host A has "route -net 10.10.10.0/24 10.2.0.2" and host B has
>  "route -net 10.1.0.0/24 10.2.0.1".
> 
>   I could pass traffic from 10.1.0.0/24 to 10.10.10.0/24 and back without
>  problems.
> 
>   Now, I want to encrypt this transit traffic between routers (!) but
>  without creation of tunnel.
> 
>   Is it possible to encrypt this traffic with IPsec in *transport* mode?
>  I've tried to create SAs for 10.2.0.1 and 10.2.0.2 and SPDs for 10.1.0.0/24
>  and 10.10.10.0/24 on A and B (not on endpoint devices) but looks like it
>  doesn't work, traffic stops. It is not as encrypted traffic is sent but
>  dropped on other end, no, interfaces between Host A and Host B becomes
>  silent according to "tcpdump" and all forwarded/dropped/error counters in
>  "nestat -s" don't change anymore, only "input packets" in "netstat -s -p ip"
>  is still counting.
> 
>  My SAs and SPDs looks like this (for UDP only, for tests):
> 
> Host A:
> 
> add 10.2.0.1 10.2.0.2 esp 0x10001 -m transport -E null "";
> add 10.2.0.2 10.2.0.1 esp 0x10001 -m transport -E null "";
> 
> spdadd 10.1.0.0/24 10.10.10.0/24 udp -P out ipsec esp/transport//require;
> spdadd 10.10.10.0/24 10.1.0.0/24 udp -P in  ipsec esp/transport//require;
> 
> Host B:
> 
> add 10.2.0.1 10.2.0.2 esp 0x10001 -m transport -E null "";
> add 10.2.0.2 10.2.0.1 esp 0x10001 -m transport -E null "";
> 
> spdadd 10.10.10.0/24 10.1.0.0/24 udp -P out ipsec esp/transport//require;
> spdadd 10.1.0.0/24 10.10.10.0/24 udp -P in  ipsec esp/transport//require;

It is possible and it is the way I use extensively for long time since very old
FreeBSD versions having KAME IPSEC and it works with 11.2-STABLE, too.

You need to read setkey(8) manual page, section ALGORITHMS and make sure
you use proper sized keys or it won't work, though.

And example of transport mode IPSEC with low-powered device having on-board
Geode LX Security Block crypto accelerator with AES-128-CBC support:

add 1.1.1.1 2.2.2.2 esp 1081 -m transport -E rijndael-cbc "1234567890123456" -A hmac-md5 "0123456789123456";
add 2.2.2.2 1.1.1.1 esp 2081 -m transport -E rijndael-cbc "9876543210987654" -A hmac-md5 "6543219876543210";

spdadd 1.1.1.1/32 2.2.2.2/32 any -P out ipsec esp/transport//require;
spdadd 2.2.2.2/32 1.1.1.1/32 any -P in ipsec  esp/transport//require;

You have to use bigger keys if you use another -A algorithm like sha*, each character counts for 8 bits.