IPSec multicast limitation?

José Manuel Quintana Cámara jmquintanacamara at gmail.com
Tue Feb 23 15:48:40 UTC 2016 

Sorry, I forgot to attach the files. Now they are.

2016-02-23 16:47 GMT+01:00 José Manuel Quintana Cámara <
jmquintanacamara at gmail.com>:

> Dear FreeBsd developers,
>
> I am Jose Manuel, software engineer. I got your email address from the
> website (https://www.freebsd.org/mailto.html). I am sorry if this is not
> the right place to ask my question. If so, please tell me where to do it.
>
> I write to you because I am finding some problems when using IPSec
> multicast mode. I hope to be clear describing my problem.
>
> I am using the network environment (file attached Network.png).
> [image: Imágenes integradas 1]
> Firstly, I performed IP multicast communications (IP, not IPSec, just to
> check that multicast is working properly) sending data from PC4 to PC1 and
> PC2. Everything OK.
>
> Then I enabled IPSec by means of using setkey (
> https://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8) and found:
> 1. with IPSec unicast communications: I found some examples for IPSec
> unicast in the setkey man page. I configured a pair of SAs between PC4 and
> PC1 in tunnel mode (between routers 1 and 4) and it worked perfectly: I see
> that UDP data exchanged between PC1 and PC4 is protected between routers 1
> and 4 in ESP mode. I attach the file IPSec_Unicast.txt with the SAs and SPs
> created, working in every pair of PCs.
>
> 2. Now I have IPSec unicast working and IP multicast, let's put to work
> IPSec multicast together... but I found problems with it :(
> I have not found any multicast example in the setkey man page. Since there
> are no multicast examples, I wonder if setkey is only made for unicast...
> or the kernel is not able to do it...
> I found this post from a guy who says it worked using the multicast
> address when creating the SA (
> http://security.stackexchange.com/questions/85915/ipsec-on-multicast).
> So, I tried in the same way, using the multicast address, to send data from
> PC4 to PC1 and PC2 (belonging to multicast group) and I found that the
> router4 received the UPD frames but it didn't output the ESP frames to the
> rest of routers. I attach the file IPSec_Multicast.txt with the SAs and SPs
> created, not sure about they are well built or not.
>
> I have the following questions:
> 1. is there a limitation in the FreeBSD kernel of using IPSec multicast?
> 2. if not, is the limitation in setkey? or maybe I am not using setkey
> correctly?
>
> Thank you very much in advance and congratulations for your work!
>
> Best regards,
> José Manuel Quintana
>
-------------- next part --------------
---------------------------
router1
---------------------------
#multicast RECEIVER
add    10.0.4.20 239.1.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
spdadd 10.0.4.20 239.1.1.1 any -P in ipsec esp/tunnel/10.0.4.20-239.1.1.1/require ;

---------------------------
router2
---------------------------
#multicast RECEIVER
add    10.0.4.20 239.1.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
spdadd 10.0.4.20 239.1.1.1 any -P in ipsec esp/tunnel/10.0.4.20-239.1.1.1/require ;

---------------------------
router3
---------------------------
#multicast RECEIVER
add    10.0.4.20 239.1.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
spdadd 10.0.4.20 239.1.1.1 any -P in ipsec esp/tunnel/10.0.4.20-239.1.1.1/require ;

---------------------------
router4
---------------------------
#multicast SENDER
add    10.0.4.20 239.1.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
spdadd 10.0.4.20 239.1.1.1 any -P out ipsec esp/tunnel/10.0.4.20-239.1.1.1/require ;
-------------- next part --------------
---------------------------
router1
---------------------------
#router1 - router2
add 10.0.1.1 10.0.1.2 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ;
add 10.0.1.2 10.0.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
spdadd 10.0.0.0/24  10.0.2.0/24 any -P out ipsec esp/tunnel/10.0.1.1-10.0.1.2/require ;

#router1 - router3
add 10.0.1.1 10.0.1.3 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ;
add 10.0.1.3 10.0.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
spdadd 10.0.0.0/24  10.0.3.0/24 any -P out ipsec esp/tunnel/10.0.1.1-10.0.1.3/require ;

#router1 - router4
add 10.0.1.1 10.0.1.4 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ;
add 10.0.1.4 10.0.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
spdadd 10.0.0.0/24  10.0.4.0/24 any -P out ipsec esp/tunnel/10.0.1.1-10.0.1.4/require ;

---------------------------
router2
---------------------------
#router2 - router1
add 10.0.1.2 10.0.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
add 10.0.1.1 10.0.1.2 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ;
spdadd 10.0.2.0/24  10.0.0.0/24 any -P out ipsec esp/tunnel/10.0.1.2-10.0.1.1/require ;

#router2 - router3
add 10.0.1.2 10.0.1.3 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
add 10.0.1.3 10.0.1.2 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ;
spdadd 10.0.2.0/24  10.0.3.0/24 any -P out ipsec esp/tunnel/10.0.1.2-10.0.1.3/require ;

#router2 - router4
add 10.0.1.2 10.0.1.4 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
add 10.0.1.4 10.0.1.2 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ;
spdadd 10.0.2.0/24  10.0.4.0/24 any -P out ipsec esp/tunnel/10.0.1.2-10.0.1.4/require ;

---------------------------
router3
---------------------------
#router3 - router1
add 10.0.1.3 10.0.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
add 10.0.1.1 10.0.1.3 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ;
spdadd 10.0.3.0/24  10.0.0.0/24 any -P out ipsec esp/tunnel/10.0.1.3-10.0.1.1/require ;

#router3 - router2
add 10.0.1.3 10.0.1.2 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
add 10.0.1.2 10.0.1.3 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ;
spdadd 10.0.3.0/24  10.0.2.0/24 any -P out ipsec esp/tunnel/10.0.1.3-10.0.1.2/require ;

#router3 - router4
add 10.0.1.3 10.0.1.4 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
add 10.0.1.4 10.0.1.3 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ;
spdadd 10.0.3.0/24  10.0.4.0/24 any -P out ipsec esp/tunnel/10.0.1.3-10.0.1.4/require ;

---------------------------
router4
---------------------------
#router4 - router1
add 10.0.1.4 10.0.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
add 10.0.1.1 10.0.1.4 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ;
spdadd 10.0.4.0/24  10.0.0.0/24 any -P out ipsec esp/tunnel/10.0.1.4-10.0.1.1/require ;

#router4 - router2
add 10.0.1.4 10.0.1.2 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
add 10.0.1.2 10.0.1.4 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ;
spdadd 10.0.4.0/24  10.0.2.0/24 any -P out ipsec esp/tunnel/10.0.1.4-10.0.1.2/require ;

#router4 - router3
add 10.0.1.4 10.0.1.3 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
add 10.0.1.3 10.0.1.4 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ;
spdadd 10.0.4.0/24  10.0.3.0/24 any -P out ipsec esp/tunnel/10.0.1.4-10.0.1.3/require ;

More information about the freebsd-questions mailing list