Hello Freebsd-net, I have two router like this:
[NET 10.1.0.0/24] <-> (10.1.0.1 HOST A 10.2.0.1) <-> (10.2.0.2 HOST B 10.10.10.1) <-> [NET 10.10.10.0/24) Both HOST A and HOST B tun FreeBSD, both are routers (forwrading is enabled), host A has "route -net 10.10.10.0/24 10.2.0.2" and host B has "route -net 10.1.0.0/24 10.2.0.1". I could pass traffic from 10.1.0.0/24 to 10.10.10.0/24 and back without problems. Now, I want to encrypt this transit traffic between routers (!) but without creation of tunnel. Is it possible to encrypt this traffic with IPsec in *transport* mode? I've tried to create SAs for 10.2.0.1 and 10.2.0.2 and SPDs for 10.1.0.0/24 and 10.10.10.0/24 on A and B (not on endpoint devices) but looks like it doesn't work, traffic stops. It is not as encrypted traffic is sent but dropped on other end, no, interfaces between Host A and Host B becomes silent according to "tcpdump" and all forwarded/dropped/error counters in "nestat -s" don't change anymore, only "input packets" in "netstat -s -p ip" is still counting. My SAs and SPDs looks like this (for UDP only, for tests): Host A: add 10.2.0.1 10.2.0.2 esp 0x10001 -m transport -E null ""; add 10.2.0.2 10.2.0.1 esp 0x10001 -m transport -E null ""; spdadd 10.1.0.0/24 10.10.10.0/24 udp -P out ipsec esp/transport//require; spdadd 10.10.10.0/24 10.1.0.0/24 udp -P in ipsec esp/transport//require; Host B: add 10.2.0.1 10.2.0.2 esp 0x10001 -m transport -E null ""; add 10.2.0.2 10.2.0.1 esp 0x10001 -m transport -E null ""; spdadd 10.10.10.0/24 10.1.0.0/24 udp -P out ipsec esp/transport//require; spdadd 10.1.0.0/24 10.10.10.0/24 udp -P in ipsec esp/transport//require; -- Best regards, Lev mailto:l...@freebsd.org _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
