Re: iked.conf.5: provide gre example
On Thu, Jul 16, 2020 at 03:02:25PM +0200, Klemens Nanni wrote: > On Thu, Jul 16, 2020 at 10:23:20AM +0100, Stuart Henderson wrote: > > On 2020/07/15 10:02, Theo de Raadt wrote: > > > It is extremely unwise to use DNS names at this level (or things which > > > look like DNS names). The same problems that pf has with DNS, are > > > present here. You really don't want people to get into this habit. > > > > Same in gre(4) config which needs addresses too. I agree. > Alright, using literal IPs. > > > > > +.Pp > > > > +This example encrypts a > > > > +.Xr gre 4 > > > > +tunnel from local machine A to peer D using FQDN-based public key > > > > +authentication. > > > > +.Ar transport > > > > +mode is used to avoid duplicate encapsulation of GRE; > > > > The inside encapsulation of IPsec tunnel mode is gif not gre, so it > > isn't duplicate gre encap. "transport mode is used to avoid double > > encapsulation" would do? > Right, I didn't mean "twice GRE" but rather "twice encap": your wording > is clearer, thanks. > > dstid omitted as requested by tobhe. Ping. Feedback? OK? Index: iked.conf.5 === RCS file: /cvs/src/sbin/iked/iked.conf.5,v retrieving revision 1.71 diff -u -p -r1.71 iked.conf.5 --- iked.conf.5 10 Jul 2020 21:23:47 - 1.71 +++ iked.conf.5 16 Jul 2020 12:59:13 - @@ -1014,6 +1014,19 @@ ikev2 "subnet" esp from 10.0.3.0/24 to 1 ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 .Ed +.Pp +This example encrypts a +.Xr gre 4 +tunnel from local machine A (2001:db8::aa:1) to peer D (2001:db8::dd:4) based on +FQDN-based public key authentication; +.Ar transport +mode avoids double encapsulation: +.Bd -literal -offset indent +ikev2 transport \e + proto gre \e + from 2001:db8::aa:1 to 2001:db8::dd:4 \e + peer D.example.com +.Ed .Sh SEE ALSO .Xr enc 4 , .Xr ipsec 4 ,
Re: iked.conf.5: provide gre example
On Thu, Jul 16, 2020 at 10:23:20AM +0100, Stuart Henderson wrote: > On 2020/07/15 10:02, Theo de Raadt wrote: > > It is extremely unwise to use DNS names at this level (or things which > > look like DNS names). The same problems that pf has with DNS, are > > present here. You really don't want people to get into this habit. > > Same in gre(4) config which needs addresses too. I agree. Alright, using literal IPs. > > > +.Pp > > > +This example encrypts a > > > +.Xr gre 4 > > > +tunnel from local machine A to peer D using FQDN-based public key > > > +authentication. > > > +.Ar transport > > > +mode is used to avoid duplicate encapsulation of GRE; > > The inside encapsulation of IPsec tunnel mode is gif not gre, so it > isn't duplicate gre encap. "transport mode is used to avoid double > encapsulation" would do? Right, I didn't mean "twice GRE" but rather "twice encap": your wording is clearer, thanks. dstid omitted as requested by tobhe. OK? Index: iked.conf.5 === RCS file: /cvs/src/sbin/iked/iked.conf.5,v retrieving revision 1.71 diff -u -p -r1.71 iked.conf.5 --- iked.conf.5 10 Jul 2020 21:23:47 - 1.71 +++ iked.conf.5 16 Jul 2020 12:59:13 - @@ -1014,6 +1014,19 @@ ikev2 "subnet" esp from 10.0.3.0/24 to 1 ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 .Ed +.Pp +This example encrypts a +.Xr gre 4 +tunnel from local machine A (2001:db8::aa:1) to peer D (2001:db8::dd:4) based on +FQDN-based public key authentication; +.Ar transport +mode is used to avoid double encapsulation: +.Bd -literal -offset indent +ikev2 transport \e + proto gre \e + from 2001:db8::aa:1 to 2001:db8::dd:4 \e + peer D.example.com +.Ed .Sh SEE ALSO .Xr enc 4 , .Xr ipsec 4 ,
Re: iked.conf.5: provide gre example
On 2020/07/15 10:02, Theo de Raadt wrote: > It is extremely unwise to use DNS names at this level (or things which > look like DNS names). The same problems that pf has with DNS, are > present here. You really don't want people to get into this habit. Same in gre(4) config which needs addresses too. I agree. > > +.Pp > > +This example encrypts a > > +.Xr gre 4 > > +tunnel from local machine A to peer D using FQDN-based public key > > +authentication. > > +.Ar transport > > +mode is used to avoid duplicate encapsulation of GRE; The inside encapsulation of IPsec tunnel mode is gif not gre, so it isn't duplicate gre encap. "transport mode is used to avoid double encapsulation" would do? > > +.Ar dstid > > +is set explicitly to the peer's FQDN such that its public key is looked up > > even > > +if the peer does not send its FQDN as peer ID: > > +.Bd -literal -offset indent > > +ikev2 transport \e > > + proto gre \e > > + from A.example.com to D.example.com \e > > + peer D.example.com \e > > + dstid D.example.com > > +.Ed > > .Sh SEE ALSO > > .Xr enc 4 , > > .Xr ipsec 4 , > > >
Re: iked.conf.5: provide gre example
It is extremely unwise to use DNS names at this level (or things which look like DNS names). The same problems that pf has with DNS, are present here. You really don't want people to get into this habit. Klemens Nanni wrote: > Here's an addition to EXAMPLES for one of my frequent use cases that > finally "just works". > > First transport mode for child SAs was implemented, then a few > interoperability issues have been identified with peers other than iked, > now tobhe fixed pubkey (`rsa' ikeauth, default) usage based on this. > > Feedback? OK? > > Index: iked.conf.5 > === > RCS file: /cvs/src/sbin/iked/iked.conf.5,v > retrieving revision 1.71 > diff -u -p -r1.71 iked.conf.5 > --- iked.conf.5 10 Jul 2020 21:23:47 - 1.71 > +++ iked.conf.5 12 Jul 2020 14:32:00 - > @@ -1014,6 +1014,23 @@ ikev2 "subnet" esp from 10.0.3.0/24 to 1 > ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 > ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 > .Ed > +.Pp > +This example encrypts a > +.Xr gre 4 > +tunnel from local machine A to peer D using FQDN-based public key > +authentication. > +.Ar transport > +mode is used to avoid duplicate encapsulation of GRE; > +.Ar dstid > +is set explicitly to the peer's FQDN such that its public key is looked up > even > +if the peer does not send its FQDN as peer ID: > +.Bd -literal -offset indent > +ikev2 transport \e > + proto gre \e > + from A.example.com to D.example.com \e > + peer D.example.com \e > + dstid D.example.com > +.Ed > .Sh SEE ALSO > .Xr enc 4 , > .Xr ipsec 4 , >
Re: iked.conf.5: provide gre example
On Wed, Jul 15, 2020 at 05:34:31PM +0200, Klemens Nanni wrote: > Here's an addition to EXAMPLES for one of my frequent use cases that > finally "just works". > > First transport mode for child SAs was implemented, then a few > interoperability issues have been identified with peers other than iked, > now tobhe fixed pubkey (`rsa' ikeauth, default) usage based on this. > > Feedback? OK? > > Index: iked.conf.5 > === > RCS file: /cvs/src/sbin/iked/iked.conf.5,v > retrieving revision 1.71 > diff -u -p -r1.71 iked.conf.5 > --- iked.conf.5 10 Jul 2020 21:23:47 - 1.71 > +++ iked.conf.5 12 Jul 2020 14:32:00 - > @@ -1014,6 +1014,23 @@ ikev2 "subnet" esp from 10.0.3.0/24 to 1 > ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 > ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 > .Ed > +.Pp > +This example encrypts a > +.Xr gre 4 > +tunnel from local machine A to peer D using FQDN-based public key > +authentication. > +.Ar transport > +mode is used to avoid duplicate encapsulation of GRE; > +.Ar dstid > +is set explicitly to the peer's FQDN such that its public key is looked up > even > +if the peer does not send its FQDN as peer ID: I don't like the part about dstid. The only effect of explicitly setting dstid here should be that the policy *only* matches hosts that send this ID value. The key is looked up based on the received ID value. This just makes sure both are the same (D.example.com). Otherwise the diff looks ok. > +.Bd -literal -offset indent > +ikev2 transport \e > + proto gre \e > + from A.example.com to D.example.com \e > + peer D.example.com \e > + dstid D.example.com > +.Ed > .Sh SEE ALSO > .Xr enc 4 , > .Xr ipsec 4 , >
iked.conf.5: provide gre example
Here's an addition to EXAMPLES for one of my frequent use cases that finally "just works". First transport mode for child SAs was implemented, then a few interoperability issues have been identified with peers other than iked, now tobhe fixed pubkey (`rsa' ikeauth, default) usage based on this. Feedback? OK? Index: iked.conf.5 === RCS file: /cvs/src/sbin/iked/iked.conf.5,v retrieving revision 1.71 diff -u -p -r1.71 iked.conf.5 --- iked.conf.5 10 Jul 2020 21:23:47 - 1.71 +++ iked.conf.5 12 Jul 2020 14:32:00 - @@ -1014,6 +1014,23 @@ ikev2 "subnet" esp from 10.0.3.0/24 to 1 ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 .Ed +.Pp +This example encrypts a +.Xr gre 4 +tunnel from local machine A to peer D using FQDN-based public key +authentication. +.Ar transport +mode is used to avoid duplicate encapsulation of GRE; +.Ar dstid +is set explicitly to the peer's FQDN such that its public key is looked up even +if the peer does not send its FQDN as peer ID: +.Bd -literal -offset indent +ikev2 transport \e + proto gre \e + from A.example.com to D.example.com \e + peer D.example.com \e + dstid D.example.com +.Ed .Sh SEE ALSO .Xr enc 4 , .Xr ipsec 4 ,
