IPsec: is it possible to encrypt transit traffic in transport mode?
Andrey V. Elsukov
bu7cher at yandex.ru
Fri Nov 30 09:24:45 UTC 2018
On 30.11.2018 04:06, Eugene Grosbein wrote:
>> Is it possible to encrypt this traffic with IPsec in *transport* mode?
>> I've tried to create SAs for 10.2.0.1 and 10.2.0.2 and SPDs for 10.1.0.0/24
>> and 10.10.10.0/24 on A and B (not on endpoint devices) but looks like it
>> doesn't work, traffic stops. It is not as encrypted traffic is sent but
>> dropped on other end, no, interfaces between Host A and Host B becomes
>> silent according to "tcpdump" and all forwarded/dropped/error counters in
>> "nestat -s" don't change anymore, only "input packets" in "netstat -s -p ip"
>> is still counting.
>>
> It is possible and it is the way I use extensively for long time since very old
> FreeBSD versions having KAME IPSEC and it works with 11.2-STABLE, too.
>
> You need to read setkey(8) manual page, section ALGORITHMS and make sure
> you use proper sized keys or it won't work, though.
>
> And example of transport mode IPSEC with low-powered device having on-board
> Geode LX Security Block crypto accelerator with AES-128-CBC support:
>
> add 1.1.1.1 2.2.2.2 esp 1081 -m transport -E rijndael-cbc "1234567890123456" -A hmac-md5 "0123456789123456";
> add 2.2.2.2 1.1.1.1 esp 2081 -m transport -E rijndael-cbc "9876543210987654" -A hmac-md5 "6543219876543210";
>
> spdadd 1.1.1.1/32 2.2.2.2/32 any -P out ipsec esp/transport//require;
> spdadd 2.2.2.2/32 1.1.1.1/32 any -P in ipsec esp/transport//require;
>
> You have to use bigger keys if you use another -A algorithm like sha*, each character counts for 8 bits.
There is one problem. IPsec won't handle inbound packets, that are not
destined to your IP address. Inbound packets are handled based on the
destination address, protocol and SPI value, so if ip_input() doesn't
decide that ESP packet is for your host, it will not invoke
IPSEC_INPUT() and encrypted packet will be routed as is.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20181130/1a8d7337/attachment.sig>
More information about the freebsd-net
mailing list