Page MenuHomeFreeBSD
Files F697306

Route based IPsec
No One
Actions

Authored By
ae
Nov 3 2016, 5:18 PM
Size
7 KB
Referenced Files
None
Subscribers
None

Route based IPsec
View Options

[test15 src]# netstat -rnf inet
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 87.250.242.158 UGS ix0
87.250.242.128/27 link#1 U ix0
87.250.242.145 link#1 UHS lo0
127.0.0.1 link#4 UH lo0
192.168.0.145 link#4 UH lo0
[test15 src]# sysctl -a | grep forwarding
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 1
net.inet6.ip6.fastforwarding: 0
[test15 src]# kldstat
Id Refs Address Size Name
1 17 0xffffffff80200000 1a6e3d0 kernel
2 1 0xffffffff81c70000 2f4e90 zfs.ko
3 2 0xffffffff81f65000 ac78 opensolaris.ko
4 1 0xffffffff82011000 3625 ums.ko
5 1 0xffffffff82015000 31df cpuctl.ko
6 1 0xffffffff82019000 1a98 if_ipsec.ko
[test15 src]# setkey -D
No SAD entries.
[test15 src]# setkey -DP
No SPD entries.
[test15 src]# ifconfig ipsec0 create
[test15 src]# ifconfig ipsec0 inet tunnel 87.250.242.145 87.250.242.144
[test15 src]# ifconfig ipsec0 inet 10.0.0.145/32 10.0.0.144
[test15 src]# route add 172.16.0.0/16 10.0.0.144
add net 172.16.0.0: gateway 10.0.0.144 fib 0
[test15 src]# ifconfig ipsec0
ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
tunnel inet 87.250.242.145 --> 87.250.242.144
inet 10.0.0.145 --> 10.0.0.144 netmask 0xffffffff
inet6 fe80::225:90ff:fef9:3c92%ipsec0 prefixlen 64 scopeid 0x5
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
reqid: 16388
groups: ipsec
[test15 src]# setkey -D
No SAD entries.
[test15 src]# setkey -DP
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16388
spid=13 seq=3 pid=1418
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16388
spid=15 seq=2 pid=1418
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16388
spid=14 seq=1 pid=1418
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16388
spid=16 seq=0 pid=1418
refcnt=1
[test15 src]# setkey -DPF
[test15 src]# setkey -DP
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16388
spid=13 seq=3 pid=1420
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16388
spid=15 seq=2 pid=1420
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16388
spid=14 seq=1 pid=1420
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16388
spid=16 seq=0 pid=1420
refcnt=1
[test15 src]# racoon
-----------
[test25 src]# netstat -rnf inet
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 87.250.242.158 UGS igb0
87.250.242.128/27 link#1 U igb0
87.250.242.144 link#1 UHS lo0
127.0.0.1 link#6 UH lo0
172.16.0.145 link#6 UH lo0
[test25 src]# sysctl -a | grep forwarding
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 1
net.inet6.ip6.fastforwarding: 0
[test25 src]# kldstat
Id Refs Address Size Name
1 20 0xffffffff80200000 1a6e3d0 kernel
2 1 0xffffffff81c70000 2f4e90 zfs.ko
3 2 0xffffffff81f65000 ac78 opensolaris.ko
4 1 0xffffffff82011000 3625 ums.ko
5 1 0xffffffff82015000 2b8e uhid.ko
6 1 0xffffffff82018000 31df cpuctl.ko
7 1 0xffffffff8201c000 1a98 if_ipsec.ko
[test25 src]# setkey -D
No SAD entries.
[test25 src]# setkey -DP
No SPD entries.
[test25 src]# ifconfig ipsec0 create
[test25 src]# ifconfig ipsec0 inet tunnel 87.250.242.144 87.250.242.145
[test25 src]# ifconfig ipsec0 inet 10.0.0.144/32 10.0.0.145
[test25 src]# route add 192.168.0.0/24 10.0.0.145
add net 192.168.0.0: gateway 10.0.0.145 fib 0
[test25 src]# ifconfig ipsec0
ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
tunnel inet 87.250.242.144 --> 87.250.242.145
inet 10.0.0.144 --> 10.0.0.145 netmask 0xffffffff
inet6 fe80::225:90ff:fe92:8548%ipsec0 prefixlen 64 scopeid 0x7
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
reqid: 16386
groups: ipsec
[test25 src]# setkey -D
No SAD entries.
[test25 src]# setkey -DP
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16386
spid=5 seq=3 pid=1404
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16386
spid=7 seq=2 pid=1404
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16386
spid=6 seq=1 pid=1404
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16386
spid=8 seq=0 pid=1404
refcnt=1
[test25 src]# racoon
-------------
[test15 src]# ping -c1 10.0.0.144
PING 10.0.0.144 (10.0.0.144): 56 data bytes
--- 10.0.0.144 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
[test15 src]# ping -c1 10.0.0.144
PING 10.0.0.144 (10.0.0.144): 56 data bytes
64 bytes from 10.0.0.144: icmp_seq=0 ttl=64 time=0.506 ms
--- 10.0.0.144 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.506/0.506/0.506/0.000 ms
[test15 src]# ping -c1 172.16.0.145
PING 172.16.0.145 (172.16.0.145): 56 data bytes
64 bytes from 172.16.0.145: icmp_seq=0 ttl=64 time=0.423 ms
--- 172.16.0.145 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.423/0.423/0.423/0.000 ms
--------------
[test15 butcher]# tcpdump -ni ix0 esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ix0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:13:48.830044 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x0befd947,seq=0x1), length 132
17:13:48.830388 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x080b560c,seq=0x1), length 132
17:16:11.563357 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x0befd947,seq=0x3), length 132
17:16:11.563623 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x080b560c,seq=0x2), length 132
--------------
[test15 butcher]# tcpdump -ni ipsec0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes
17:13:22.880665 IP 10.0.0.145 > 10.0.0.144: ICMP echo request, id 40197, seq 0, length 64
17:13:48.829976 IP 10.0.0.145 > 10.0.0.144: ICMP echo request, id 40709, seq 0, length 64
17:13:48.830421 IP 10.0.0.144 > 10.0.0.145: ICMP echo reply, id 40709, seq 0, length 64
17:16:11.563292 IP 10.0.0.145 > 172.16.0.145: ICMP echo request, id 42501, seq 0, length 64
17:16:11.563647 IP 172.16.0.145 > 10.0.0.145: ICMP echo reply, id 42501, seq 0, length 64
---------------
[test15 src]# setkey -D
87.250.242.145 87.250.242.144
esp mode=tunnel spi=200268103(0x0befd947) reqid=16388(0x00004004)
E: rijndael-cbc d150a373 e2ff25ec 13e59840 90c424d2
A: hmac-sha1 4d2704f5 36a44c97 1a234998 1bfd403a e0c1cffb
seq=0x00000001 replay=4 flags=0x00000000 state=mature
created: Nov 3 17:13:23 2016 current: Nov 3 17:15:14 2016
diff: 111(s) hard: 28800(s) soft: 23040(s)
last: Nov 3 17:13:48 2016 hard: 0(s) soft: 0(s)
current: 152(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1 hard: 0 soft: 0
sadb_seq=1 pid=1443 refcnt=1
87.250.242.144 87.250.242.145
esp mode=tunnel spi=134960652(0x080b560c) reqid=16388(0x00004004)
E: rijndael-cbc e7c9aa53 18ef46d9 b222111d a813af56
A: hmac-sha1 007f5908 755f4b88 e62c9de5 70122ebe 550d361d
seq=0x00000001 replay=4 flags=0x00000000 state=mature
created: Nov 3 17:13:23 2016 current: Nov 3 17:15:14 2016
diff: 111(s) hard: 28800(s) soft: 23040(s)
last: Nov 3 17:13:48 2016 hard: 0(s) soft: 0(s)
current: 84(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1 hard: 0 soft: 0
sadb_seq=0 pid=1443 refcnt=1
-----------

File Metadata

Mime Type
text/plain; charset=utf-8
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
651483
Default Alt Text
Route based IPsec (7 KB)

Event Timeline