IPsec: is it possible to encrypt transit traffic in transport mode?
Lev Serebryakov
lev at FreeBSD.org
Fri Nov 30 12:04:33 UTC 2018
Hello Eugene,
Friday, November 30, 2018, 1:28:29 PM, you wrote:
>>> It is possible and it is the way I use extensively for long time since very old
>>> FreeBSD versions having KAME IPSEC and it works with 11.2-STABLE, too.
>> Eugeny, please note, that your example have SA and SPDs with same
>> addresses. It works for me too. It doesn't work for me if SAs have addresses
>> of routers and SPDs have addresses of routed networks. And if SPDs have
>> routers' addresses, then routed traffic is not encrypted, only host-to-host
>> (router-to-router) are.
> Just add gif(4) to the picture.
I'm benchmarking different possible "native" VPN configurations and I have
gif(4) and gre(4) with and without IPsec in my battery. I have tunnel mode
IPsec too. Problem with gif(4) and gre(4) that hey are tremendously
expensive, and could be more expensive than IPsec itself on CPUs with AES-NI.
So, this configuration impossible, I understand. Nothing to benchmark :-)
--
Best regards,
Lev mailto:lev at FreeBSD.org
More information about the freebsd-net
mailing list