A question about routed IPSec connections

Started by bimbar, July 12, 2021, 04:37:29 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
July 12, 2021, 04:37:29 PM
In 21.1, you can only have a p-t-p connection between the hosts that connect to each other in a routed IPSec connection. But at least some clouds only allow /30 link networks.
Has that been made possible in 21.7? Is it planned?
July 13, 2021, 01:37:36 PM #1
Are you sure that is still a limitation on current 21.1.8?


Cheers,
Franco
July 13, 2021, 05:04:32 PM #2
Could you give an example of what isn't working? Which Cloud Provider etc.? I can at the very least report that routed S2S VPNs to an AWS VPC are possible with 20.7 (and i would assume that holds true for any version thereafter, too)
July 14, 2021, 10:01:56 AM #3
This is still a limitation on 21.1.8. You can only enter "Local Address" and "Remote Address", network masks are illegal.

An example for clouds that need this is alibaba. Which we are doing quite a lot of at the moment since Alibaba CEN is the only way to get to china with anything like acceptable performance.
July 14, 2021, 01:24:43 PM #4
Isn't that what "Network" type is for?


Cheers,
Franco
July 14, 2021, 03:11:46 PM #5
I don't know what you mean by that, if I select mode "Route Based" in Phase 2, I can not see any "Network" type.
July 14, 2021, 03:26:20 PM #6
Ah ok, route based. I missed this.

The subnet size is calculated from the local-remote IP distance. For 10.1.1.1 to 10.1.1.2 that is a /30...


Cheers,
Franco
July 15, 2021, 09:39:44 AM #7
Ok thanks, I'll try that. Perhaps it would be useful to add that to the help.
July 22, 2021, 02:08:52 PM #8
Quote from: franco on July 14, 2021, 03:26:20 PM
Ah ok, route based. I missed this.

The subnet size is calculated from the local-remote IP distance. For 10.1.1.1 to 10.1.1.2 that is a /30...


Cheers,
Franco
also: if this distance is bigger than 32, it doesn't work.
10.10.11.1 - 10.10.11.20 is OK
10.10.11.20 - 10.10.11.50 is OK
10.10.11.20 - 10.10.11.60 is not working
July 22, 2021, 07:41:35 PM #9
I was wondering why this wasn't adjusted for nearest power of 2 what it should probably have been?

https://github.com/opnsense/core/blob/1aeb52063159df6da3546d132a765557e6a96a6d/src/etc/inc/plugins.inc.d/ipsec.inc#L1871

It looks a bit suspicious.


Cheers,
Franco
July 26, 2021, 01:03:03 PM #10
In my opinion it would be preferable to explicitly configure this.

Also, in your link, shouldn't there be a logarithm somewhere in there? It looks wrong.
July 26, 2021, 01:26:12 PM #11
Quote from: bimbar on July 26, 2021, 01:03:03 PM
Also, in your link, shouldn't there be a logarithm somewhere in there? It looks wrong.
It is.  I am not that great a programmer but I know networking.

The calculation for IPv4 fundamentally makes sense, but needs to be changed from a difference to the 2log of the same, rounded down plus 1 - probably. I don't know if there are convenient functions for bit arithmetic that avoid floating point calculations. As I said, not that much of a PHP guru.

Plus the prefix length should be /64 for all IPv6 connections unless explicitly configured differently by the admin.
One does not simply use subnets in IPv6.  ;)

Kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 26, 2021, 01:34:46 PM #12
Quote from: bimbar on July 26, 2021, 01:03:03 PM
Also, in your link, shouldn't there be a logarithm somewhere in there? It looks wrong.

It feels like my replies and questions are mostly being ignored. :P

Quote from: franco on July 22, 2021, 07:41:35 PM
I was wondering why this wasn't adjusted for nearest power of 2 what it should probably have been?

https://github.com/opnsense/core/blob/1aeb52063159df6da3546d132a765557e6a96a6d/src/etc/inc/plugins.inc.d/ipsec.inc#L1871

It looks a bit suspicious.
July 26, 2021, 02:39:33 PM #13
Quote from: franco on July 26, 2021, 01:34:46 PM
Quote from: bimbar on July 26, 2021, 01:03:03 PM
Also, in your link, shouldn't there be a logarithm somewhere in there? It looks wrong.

It feels like my replies and questions are mostly being ignored. :P

Quote from: franco on July 22, 2021, 07:41:35 PM
I was wondering why this wasn't adjusted for nearest power of 2 what it should probably have been?

https://github.com/opnsense/core/blob/1aeb52063159df6da3546d132a765557e6a96a6d/src/etc/inc/plugins.inc.d/ipsec.inc#L1871

It looks a bit suspicious.

I did read that, but maybe I misunderstood in that it not only has to be adjusted to a nearest power of 2 but also the logarithm needs to be taken.

Anyway, I think the whole idea of calculating this is wrong, it should instead be explicitly specified by the user. What if I have a bigger link network where I want to use adjacent addresses anyway?
July 26, 2021, 02:40:45 PM #14
Quote from: pmhausen on July 26, 2021, 01:26:12 PM
Quote from: bimbar on July 26, 2021, 01:03:03 PM
Also, in your link, shouldn't there be a logarithm somewhere in there? It looks wrong.
It is.  I am not that great a programmer but I know networking.

The calculation for IPv4 fundamentally makes sense, but needs to be changed from a difference to the 2log of the same, rounded down plus 1 - probably. I don't know if there are convenient functions for bit arithmetic that avoid floating point calculations. As I said, not that much of a PHP guru.

Plus the prefix length should be /64 for all IPv6 connections unless explicitly configured differently by the admin.
One does not simply use subnets in IPv6.  ;)

Kind regards,
Patrick

For IPv6, /127 is not that uncommon.

For IPv4, how would the algorithm decide whether you want to do /31 or /30?
Print
Go Up Pages1 2
User actions