A question about routed IPSec connections

[bimbar]

In 21.1, you can only have a p-t-p connection between the hosts that connect to each other in a routed IPSec connection. But at least some clouds only allow /30 link networks.
Has that been made possible in 21.7? Is it planned?

[franco]

Are you sure that is still a limitation on current 21.1.8?


Cheers,
Franco

[marcquark]

Could you give an example of what isn't working? Which Cloud Provider etc.? I can at the very least report that routed S2S VPNs to an AWS VPC are possible with 20.7 (and i would assume that holds true for any version thereafter, too)

[bimbar]

This is still a limitation on 21.1.8. You can only enter "Local Address" and "Remote Address", network masks are illegal.

An example for clouds that need this is alibaba. Which we are doing quite a lot of at the moment since Alibaba CEN is the only way to get to china with anything like acceptable performance.

[franco]

Isn't that what "Network" type is for?


Cheers,
Franco

[bimbar]

I don't know what you mean by that, if I select mode "Route Based" in Phase 2, I can not see any "Network" type.

[franco]

Ah ok, route based. I missed this.

The subnet size is calculated from the local-remote IP distance. For 10.1.1.1 to 10.1.1.2 that is a /30...


Cheers,
Franco

[bimbar]

Ok thanks, I'll try that. Perhaps it would be useful to add that to the help.

[GaardenZwerch]

Ah ok, route based. I missed this.

The subnet size is calculated from the local-remote IP distance. For 10.1.1.1 to 10.1.1.2 that is a /30...


Cheers,
Franco

also: if this distance is bigger than 32, it doesn't work.
10.10.11.1 - 10.10.11.20 is OK
10.10.11.20 - 10.10.11.50 is OK
10.10.11.20 - 10.10.11.60 is not working

[franco]

I was wondering why this wasn't adjusted for nearest power of 2 what it should probably have been?

https://github.com/opnsense/core/blob/1aeb52063159df6da3546d132a765557e6a96a6d/src/etc/inc/plugins.inc.d/ipsec.inc#L1871

It looks a bit suspicious.


Cheers,
Franco

[bimbar]

In my opinion it would be preferable to explicitly configure this.

Also, in your link, shouldn't there be a logarithm somewhere in there? It looks wrong.

[Patrick M. Hausen]

Also, in your link, shouldn't there be a logarithm somewhere in there? It looks wrong.

It is.  I am not that great a programmer but I know networking.

The calculation for IPv4 fundamentally makes sense, but needs to be changed from a difference to the 2log of the same, rounded down plus 1 - probably. I don't know if there are convenient functions for bit arithmetic that avoid floating point calculations. As I said, not that much of a PHP guru.

Plus the prefix length should be /64 for all IPv6 connections unless explicitly configured differently by the admin.
One does not simply use subnets in IPv6. 

Kind regards,
Patrick

[franco]

Also, in your link, shouldn't there be a logarithm somewhere in there? It looks wrong.

It feels like my replies and questions are mostly being ignored.

I was wondering why this wasn't adjusted for nearest power of 2 what it should probably have been?

https://github.com/opnsense/core/blob/1aeb52063159df6da3546d132a765557e6a96a6d/src/etc/inc/plugins.inc.d/ipsec.inc#L1871

It looks a bit suspicious.

[bimbar]

Also, in your link, shouldn't there be a logarithm somewhere in there? It looks wrong.

It feels like my replies and questions are mostly being ignored.

I was wondering why this wasn't adjusted for nearest power of 2 what it should probably have been?

https://github.com/opnsense/core/blob/1aeb52063159df6da3546d132a765557e6a96a6d/src/etc/inc/plugins.inc.d/ipsec.inc#L1871

It looks a bit suspicious.

I did read that, but maybe I misunderstood in that it not only has to be adjusted to a nearest power of 2 but also the logarithm needs to be taken.

Anyway, I think the whole idea of calculating this is wrong, it should instead be explicitly specified by the user. What if I have a bigger link network where I want to use adjacent addresses anyway?

[bimbar]

Also, in your link, shouldn't there be a logarithm somewhere in there? It looks wrong.

It is.  I am not that great a programmer but I know networking.

The calculation for IPv4 fundamentally makes sense, but needs to be changed from a difference to the 2log of the same, rounded down plus 1 - probably. I don't know if there are convenient functions for bit arithmetic that avoid floating point calculations. As I said, not that much of a PHP guru.

Plus the prefix length should be /64 for all IPv6 connections unless explicitly configured differently by the admin.
One does not simply use subnets in IPv6. 

Kind regards,
Patrick

For IPv6, /127 is not that uncommon.

For IPv4, how would the algorithm decide whether you want to do /31 or /30?