IPSec multicast limitation?

José Manuel Quintana Cámara jmquintanacamara at gmail.com
Tue Feb 23 15:47:24 UTC 2016

Dear FreeBsd developers,

I am Jose Manuel, software engineer. I got your email address from the
website (https://www.freebsd.org/mailto.html). I am sorry if this is not
the right place to ask my question. If so, please tell me where to do it.

I write to you because I am finding some problems when using IPSec
multicast mode. I hope to be clear describing my problem.

I am using the network environment (file attached Network.png).
[image: Imágenes integradas 1]
Firstly, I performed IP multicast communications (IP, not IPSec, just to
check that multicast is working properly) sending data from PC4 to PC1 and
PC2. Everything OK.

Then I enabled IPSec by means of using setkey (
https://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8) and found:
1. with IPSec unicast communications: I found some examples for IPSec
unicast in the setkey man page. I configured a pair of SAs between PC4 and
PC1 in tunnel mode (between routers 1 and 4) and it worked perfectly: I see
that UDP data exchanged between PC1 and PC4 is protected between routers 1
and 4 in ESP mode. I attach the file IPSec_Unicast.txt with the SAs and SPs
created, working in every pair of PCs.

2. Now I have IPSec unicast working and IP multicast, let's put to work
IPSec multicast together... but I found problems with it :(
I have not found any multicast example in the setkey man page. Since there
are no multicast examples, I wonder if setkey is only made for unicast...
or the kernel is not able to do it...
I found this post from a guy who says it worked using the multicast address
when creating the SA (
http://security.stackexchange.com/questions/85915/ipsec-on-multicast). So,
I tried in the same way, using the multicast address, to send data from PC4
to PC1 and PC2 (belonging to multicast group) and I found that the router4
received the UPD frames but it didn't output the ESP frames to the rest of
routers. I attach the file IPSec_Multicast.txt with the SAs and SPs
created, not sure about they are well built or not.

I have the following questions:
1. is there a limitation in the FreeBSD kernel of using IPSec multicast?
2. if not, is the limitation in setkey? or maybe I am not using setkey

Thank you very much in advance and congratulations for your work!

Best regards,
José Manuel Quintana

More information about the freebsd-questions mailing list