IPsec tunnel using virtual tunnel interface with SAs installed by racoon. [test15 src]# netstat -rnf inet Routing tables Internet: Destination Gateway Flags Netif Expire default 87.250.242.158 UGS ix0 87.250.242.128/27 link#1 U ix0 87.250.242.145 link#1 UHS lo0 127.0.0.1 link#4 UH lo0 192.168.0.145 link#4 UH lo0 [test15 src]# sysctl -a | grep forwarding net.inet.ip.forwarding: 1 net.inet.ip.fastforwarding: 0 net.inet6.ip6.forwarding: 1 net.inet6.ip6.fastforwarding: 0 [test15 src]# kldstat Id Refs Address Size Name 1 17 0xffffffff80200000 1a6e3d0 kernel 2 1 0xffffffff81c70000 2f4e90 zfs.ko 3 2 0xffffffff81f65000 ac78 opensolaris.ko 4 1 0xffffffff82011000 3625 ums.ko 5 1 0xffffffff82015000 31df cpuctl.ko 6 1 0xffffffff82019000 1a98 if_ipsec.ko [test15 src]# setkey -D No SAD entries. [test15 src]# setkey -DP No SPD entries. [test15 src]# ifconfig ipsec0 create [test15 src]# ifconfig ipsec0 inet tunnel 87.250.242.145 87.250.242.144 [test15 src]# ifconfig ipsec0 inet 10.0.0.145/32 10.0.0.144 [test15 src]# route add 172.16.0.0/16 10.0.0.144 add net 172.16.0.0: gateway 10.0.0.144 fib 0 [test15 src]# ifconfig ipsec0 ipsec0: flags=8051 metric 0 mtu 1400 tunnel inet 87.250.242.145 --> 87.250.242.144 inet 10.0.0.145 --> 10.0.0.144 netmask 0xffffffff inet6 fe80::225:90ff:fef9:3c92%ipsec0 prefixlen 64 scopeid 0x5 nd6 options=23 reqid: 16388 groups: ipsec [test15 src]# setkey -D No SAD entries. [test15 src]# setkey -DP 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique#16388 spid=13 seq=3 pid=1418 refcnt=1 ::/0[any] ::/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique#16388 spid=15 seq=2 pid=1418 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique#16388 spid=14 seq=1 pid=1418 refcnt=1 ::/0[any] ::/0[any] any out ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique#16388 spid=16 seq=0 pid=1418 refcnt=1 [test15 src]# setkey -DPF [test15 src]# setkey -DP 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique#16388 spid=13 seq=3 pid=1420 refcnt=1 ::/0[any] ::/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique#16388 spid=15 seq=2 pid=1420 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique#16388 spid=14 seq=1 pid=1420 refcnt=1 ::/0[any] ::/0[any] any out ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique#16388 spid=16 seq=0 pid=1420 refcnt=1 [test15 src]# racoon ----------- [test25 src]# netstat -rnf inet Routing tables Internet: Destination Gateway Flags Netif Expire default 87.250.242.158 UGS igb0 87.250.242.128/27 link#1 U igb0 87.250.242.144 link#1 UHS lo0 127.0.0.1 link#6 UH lo0 172.16.0.145 link#6 UH lo0 [test25 src]# sysctl -a | grep forwarding net.inet.ip.forwarding: 1 net.inet.ip.fastforwarding: 0 net.inet6.ip6.forwarding: 1 net.inet6.ip6.fastforwarding: 0 [test25 src]# kldstat Id Refs Address Size Name 1 20 0xffffffff80200000 1a6e3d0 kernel 2 1 0xffffffff81c70000 2f4e90 zfs.ko 3 2 0xffffffff81f65000 ac78 opensolaris.ko 4 1 0xffffffff82011000 3625 ums.ko 5 1 0xffffffff82015000 2b8e uhid.ko 6 1 0xffffffff82018000 31df cpuctl.ko 7 1 0xffffffff8201c000 1a98 if_ipsec.ko [test25 src]# setkey -D No SAD entries. [test25 src]# setkey -DP No SPD entries. [test25 src]# ifconfig ipsec0 create [test25 src]# ifconfig ipsec0 inet tunnel 87.250.242.144 87.250.242.145 [test25 src]# ifconfig ipsec0 inet 10.0.0.144/32 10.0.0.145 [test25 src]# route add 192.168.0.0/24 10.0.0.145 add net 192.168.0.0: gateway 10.0.0.145 fib 0 [test25 src]# ifconfig ipsec0 ipsec0: flags=8051 metric 0 mtu 1400 tunnel inet 87.250.242.144 --> 87.250.242.145 inet 10.0.0.144 --> 10.0.0.145 netmask 0xffffffff inet6 fe80::225:90ff:fe92:8548%ipsec0 prefixlen 64 scopeid 0x7 nd6 options=23 reqid: 16386 groups: ipsec [test25 src]# setkey -D No SAD entries. [test25 src]# setkey -DP 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique#16386 spid=5 seq=3 pid=1404 refcnt=1 ::/0[any] ::/0[any] any in ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique#16386 spid=7 seq=2 pid=1404 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique#16386 spid=6 seq=1 pid=1404 refcnt=1 ::/0[any] ::/0[any] any out ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique#16386 spid=8 seq=0 pid=1404 refcnt=1 [test25 src]# racoon ------------- [test15 src]# ping -c1 10.0.0.144 PING 10.0.0.144 (10.0.0.144): 56 data bytes --- 10.0.0.144 ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss [test15 src]# ping -c1 10.0.0.144 PING 10.0.0.144 (10.0.0.144): 56 data bytes 64 bytes from 10.0.0.144: icmp_seq=0 ttl=64 time=0.506 ms --- 10.0.0.144 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.506/0.506/0.506/0.000 ms [test15 src]# ping -c1 172.16.0.145 PING 172.16.0.145 (172.16.0.145): 56 data bytes 64 bytes from 172.16.0.145: icmp_seq=0 ttl=64 time=0.423 ms --- 172.16.0.145 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.423/0.423/0.423/0.000 ms -------------- [test15 butcher]# tcpdump -ni ix0 esp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ix0, link-type EN10MB (Ethernet), capture size 262144 bytes 17:13:48.830044 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x0befd947,seq=0x1), length 132 17:13:48.830388 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x080b560c,seq=0x1), length 132 17:16:11.563357 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x0befd947,seq=0x3), length 132 17:16:11.563623 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x080b560c,seq=0x2), length 132 -------------- [test15 butcher]# tcpdump -ni ipsec0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes 17:13:22.880665 IP 10.0.0.145 > 10.0.0.144: ICMP echo request, id 40197, seq 0, length 64 17:13:48.829976 IP 10.0.0.145 > 10.0.0.144: ICMP echo request, id 40709, seq 0, length 64 17:13:48.830421 IP 10.0.0.144 > 10.0.0.145: ICMP echo reply, id 40709, seq 0, length 64 17:16:11.563292 IP 10.0.0.145 > 172.16.0.145: ICMP echo request, id 42501, seq 0, length 64 17:16:11.563647 IP 172.16.0.145 > 10.0.0.145: ICMP echo reply, id 42501, seq 0, length 64 --------------- [test15 src]# setkey -D 87.250.242.145 87.250.242.144 esp mode=tunnel spi=200268103(0x0befd947) reqid=16388(0x00004004) E: rijndael-cbc d150a373 e2ff25ec 13e59840 90c424d2 A: hmac-sha1 4d2704f5 36a44c97 1a234998 1bfd403a e0c1cffb seq=0x00000001 replay=4 flags=0x00000000 state=mature created: Nov 3 17:13:23 2016 current: Nov 3 17:15:14 2016 diff: 111(s) hard: 28800(s) soft: 23040(s) last: Nov 3 17:13:48 2016 hard: 0(s) soft: 0(s) current: 152(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 1 hard: 0 soft: 0 sadb_seq=1 pid=1443 refcnt=1 87.250.242.144 87.250.242.145 esp mode=tunnel spi=134960652(0x080b560c) reqid=16388(0x00004004) E: rijndael-cbc e7c9aa53 18ef46d9 b222111d a813af56 A: hmac-sha1 007f5908 755f4b88 e62c9de5 70122ebe 550d361d seq=0x00000001 replay=4 flags=0x00000000 state=mature created: Nov 3 17:13:23 2016 current: Nov 3 17:15:14 2016 diff: 111(s) hard: 28800(s) soft: 23040(s) last: Nov 3 17:13:48 2016 hard: 0(s) soft: 0(s) current: 84(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 1 hard: 0 soft: 0 sadb_seq=0 pid=1443 refcnt=1 ----------- IPsec tunnel using virtual tunnel interface with manually installed SAs. [test15 butcher]# ifconfig ipsec0 create reqid 100 [test15 butcher]# ifconfig ipsec0 inet tunnel 87.250.242.145 87.250.242.144 up [test15 butcher]# ifconfig ipsec0 inet 10.0.0.145/32 10.0.0.144 [test15 butcher]# route add 172.16.0.0/16 10.0.0.144 add net 172.16.0.0: gateway 10.0.0.144 fib 0 # setkey -c add 87.250.242.145 87.250.242.144 esp 1000 -m tunnel -u 100 -E rijndael-cbc "1111111111111111"; add 87.250.242.144 87.250.242.145 esp 2000 -m tunnel -u 100 -E rijndael-cbc "2222222222222222"; ^D [test15 butcher]# setkey -DP 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique:100 spid=5 seq=3 pid=5682 refcnt=1 ::/0[any] ::/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique:100 spid=7 seq=2 pid=5682 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique:100 spid=6 seq=1 pid=5682 refcnt=1 ::/0[any] ::/0[any] any out ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique:100 spid=8 seq=0 pid=5682 refcnt=1 [test15 butcher]# setkey -D 87.250.242.144 87.250.242.145 esp mode=tunnel spi=2000(0x000007d0) reqid=100(0x00000064) E: rijndael-cbc 32323232 32323232 32323232 32323232 seq=0x00000000 replay=0 flags=0x00000040 state=mature created: Nov 5 07:48:20 2016 current: Nov 5 07:48:58 2016 diff: 38(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=5683 refcnt=1 87.250.242.145 87.250.242.144 esp mode=tunnel spi=1000(0x000003e8) reqid=100(0x00000064) E: rijndael-cbc 31313131 31313131 31313131 31313131 seq=0x00000000 replay=0 flags=0x00000040 state=mature created: Nov 5 07:48:11 2016 current: Nov 5 07:48:58 2016 diff: 47(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=5683 refcnt=1 [test15 butcher]# ping -c1 10.0.0.144 PING 10.0.0.144 (10.0.0.144): 56 data bytes 64 bytes from 10.0.0.144: icmp_seq=0 ttl=64 time=0.632 ms --- 10.0.0.144 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.632/0.632/0.632/0.000 ms [test15 butcher]# ping -c1 172.16.0.145 PING 172.16.0.145 (172.16.0.145): 56 data bytes 64 bytes from 172.16.0.145: icmp_seq=0 ttl=64 time=0.427 ms --- 172.16.0.145 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.427/0.427/0.427/0.000 ms -------- [test25 butcher]# ifconfig ipsec0 create reqid 100 [test25 butcher]# ifconfig ipsec0 inet tunnel 87.250.242.144 87.250.242.145 up [test25 butcher]# ifconfig ipsec0 inet 10.0.0.144/32 10.0.0.145 [test25 butcher]# setkey -c add 87.250.242.145 87.250.242.144 esp 1000 -m tunnel -u 100 -E rijndael-cbc "1111111111111111"; add 87.250.242.144 87.250.242.145 esp 2000 -m tunnel -u 100 -E rijndael-cbc "2222222222222222"; ^D [test25 butcher]# setkey -D 87.250.242.144 87.250.242.145 esp mode=tunnel spi=2000(0x000007d0) reqid=100(0x00000064) E: rijndael-cbc 32323232 32323232 32323232 32323232 seq=0x00000000 replay=0 flags=0x00000040 state=mature created: Nov 5 12:03:02 2016 current: Nov 5 12:03:21 2016 diff: 19(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=6105 refcnt=1 87.250.242.145 87.250.242.144 esp mode=tunnel spi=1000(0x000003e8) reqid=100(0x00000064) E: rijndael-cbc 31313131 31313131 31313131 31313131 seq=0x00000000 replay=0 flags=0x00000040 state=mature created: Nov 5 12:03:02 2016 current: Nov 5 12:03:21 2016 diff: 19(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=6105 refcnt=1 [test25 butcher]# setkey -DP 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique:100 spid=9 seq=3 pid=6106 refcnt=1 ::/0[any] ::/0[any] any in ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique:100 spid=11 seq=2 pid=6106 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique:100 spid=10 seq=1 pid=6106 refcnt=1 ::/0[any] ::/0[any] any out ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique:100 spid=12 seq=0 pid=6106 refcnt=1 [test25 butcher]# tcpdump -ni ipsec0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes 12:04:30.092828 IP 10.0.0.145 > 10.0.0.144: ICMP echo request, id 14358, seq 0, length 64 12:04:30.092885 IP 10.0.0.144 > 10.0.0.145: ICMP echo reply, id 14358, seq 0, length 64 12:05:09.869815 IP 10.0.0.145 > 172.16.0.145: ICMP echo request, id 15126, seq 0, length 64 12:05:09.869907 IP 172.16.0.145 > 10.0.0.145: ICMP echo reply, id 15126, seq 0, length 64 [test25 butcher]# tcpdump -ni igb0 host 87.250.242.145 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes 12:04:30.092608 ARP, Request who-has 87.250.242.144 tell 87.250.242.145, length 46 12:04:30.092621 ARP, Reply 87.250.242.144 is-at 00:25:90:92:85:48, length 28 12:04:30.092807 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x000003e8,seq=0x1), length 120 12:04:30.092911 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x000007d0,seq=0x1), length 120 12:05:09.869789 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x000003e8,seq=0x2), length 120 12:05:09.869923 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x000007d0,seq=0x2), length 120 ------