On Tue, Nov 25, 2008 at 04:10:08AM -0800, Rafi Kiel wrote:
> Hi
Hello!
> How can I configure tunnel mode SA/SP (with manual keying)
> programmatically?
Our ipsecconf(1M) doesn't enable tunnel-mode where the inner and outer
addresses match. We do have a self-encapsulation enabler in the IP_SEC_OPT
socket option.
> The transport mode SA/SP creation is demonstrated in the ipsecconf &
> ipseckey utils source code available on the opensolaris but it does not
> help (at least I understand it that way) how to work in tunnel mode.
typedef struct ipsec_req {
uint_t ipsr_ah_req; /* AH request */
uint_t ipsr_esp_req; /* ESP request */
uint_t ipsr_self_encap_req; /* Self-Encap request */
uint8_t ipsr_auth_alg; /* Auth algs for AH */
uint8_t ipsr_esp_alg; /* Encr algs for ESP */
uint8_t ipsr_esp_auth_alg; /* Auth algs for ESP */
} ipsec_req_t;
You need to set ipsr_self_encap_req.
> I need it for UDP encapsulation of ESP tunnels (NAT traversal) and (in my
> case) the tunnel gateway is just the same host that actually generates the
> "to be encrypted" packets. That is the tunneling is not applied on the
> forwarded packets but packets generated locally.
Is the other end also its own tunnel gateway address? If not, you may wish
to consider just configuring a tunnel with a distinct inner address and doing
it that way.
Also, if you're manually-adding NAT-Traversal SAs, you'll need to specify
parameters like, "encap udp".
> Any links?
We lack in support for self-encapsulated Tunnel Mode because we've found most
of our customers use Transport Mode for end-to-end protection. Unless the
packet is being forwarded post-decapsulation, Tunnel Mode is a waste of
sizeof(IP-header) bytes and injects known plaintext into the packet.
If the packet *is* being forwarded at one end post-decapsulation, it's
sensible to assign an "inner address" to the end that isn't forwarding. For
example:
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
inet 127.0.0.1 netmask ff000000
e1000g0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500
index 2
inet A.B.C.4 netmask fffffff8 broadcast A.B.C.7
ether a:b:c:d:e:f
ip.tun0: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1402
index 3
inet tunnel src A.B.C.4 tunnel dst X.Y.Z.9
tunnel security settings --> use 'ipsecconf -ln -i ip.tun0'
tunnel hop limit 60
inet 10.2.2.2 --> 10.1.1.1 netmask ffffffff
Dan
_______________________________________________
networking-discuss mailing list
[email protected]
