Support for the enc(4) pseudo-interface

Tue Mar 21 13:33:39 UTC 2017

Hi,

I just got it working. Here is what I have done:

- Loaded the kernel module:

    # kldload if_enc

- Set the interface up:

    # ifconfig enc0 up

- Tweaked sysctl to enable tunnel filtering. Default value is 0 and 
makes IPsec-related traffic bypass the firewall:

    # sysctl net.inet.ipsec.filtertunnel = 1

- Tweaked sysctl to configure the enc(4) device. According to the man 
page, the mechanism used by enc(4) to inject packets into packet filters
is configurable with two sysctl values, one for each direction. Default 
values are:

    # sysctl net.enc.out.ipsec_filter_mask
    1

    # sysctl net.enc.in.ipsec_filter_mask
    1

The default value of the second sysctl leads enc(4) devices to pass 
encrypted traffic to packet filters. As suggested by the man page, I had
to set this sysctl to the recommended value of 2 to make enc(4) inject
decrypted packets instead:

    # sysctl net.enc.in.ipsec_filter_mask = 2

By the way, I still do not understand why the default value of this 
sysctl is different from the suggested one.

- I modified the pf ruleset to add a rule for outbound traffic on enc0:

    # cat /etc/pf.conf
    peers = "{1.2.3.4, 5.6.7.8}"

    set skip on lo
    block all

    # Allow IKE
    pass  in proto {tcp, udp} from $peers to self   port isakmp
    pass out proto {tcp, udp} from self   to $peers port isakmp

    # Allow ICMPv4 echo requests only through IPsec
    pass  in on enc0 proto icmp from $peers to self   icmp-type echoreq
    pass out on enc0 proto icmp from self   to $peers icmp-type echoreq

IPsec filtering seems to work fine with this config. I can confirm that
ICMP traffic is encrypted. Furthermore, removing the last rules actually
blocks echo requests, which is what is expected.

Thanks for your help and for letting me know that the enc was available
as a kernel module!

Marin.

21 mars 2017 13:22 "Kristof Provost"  a écrit:

>  On 21 Mar 2017, at 12:44, Miroslav Lachman wrote: 
>  > Kristof Provost wrote on 2017/03/21 10:18: 
>  >> On 21 Mar 2017, at 9:43, Marin Bernard wrote: 
>  > 
>  >>> If there is no SA, it is impossible for a peer to ping another. As 
>  >>> soon 
>  >>> as IKE creates a SA, however, ping starts working. As you can see, 
>  >>> the last rule is explicitely bound to the inexistent enc0 interface, 
>  >>> and 
>  >>> yet is working fine. 
>  >>> 
>  >> Can you try without the enc0 rule? I suspect that what’s happening 
>  >> here 
>  >> is that 
>  >> the IPSec traffic is bypassing the firewall altogether. If that's the 
>  >> case the 
>  >> your traffic will still flow, even without the pass on enc0 rule. 
>  >> 
>  >> If you want to filter on it it should work if you add ‘device 
>  >> enc’ to your 
>  >> kernel config. The man page suggests that should then allow you to 
>  >> filter IPSec 
>  >> traffic on enc0. 
>  > 
>  > Shouldn't it be included in GENERIC if IPSec is now part of it? It 
>  > seems 
>  > illogical to build own kernel for IPsec if IPSec was included in 
>  > GENERIC for 
>  > 11.0 ... but without enc. 
>  > 
>  Yeah, perhaps it should be. 
>  
>  I’ve not used it myself, so I don’t know if/how well it works now, 
>  but unless 
>  it breaks things or introduces significant performance regressions we 
>  should 
>  probably turn it on too. 
>  
>  Martin, could you give us an idea of how well this works for you when 
>  you’ve 
>  got the time to set it up? 
>  
>  Regards, 
>  Kristof 