Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > 1998-spring > 98 > 060298.html (Request Expert lists.freeswan.org Support)

linux-ipsec: Linux IPsec with multicast traffic

From: Bhrat Patel <B.Patel(at)cs.ucl.ac.uk>
Date: Tue Jun 02 1998 - 14:19:14 EDT

Has anyone managed to get Freeswan-0.8 to encrypt multicast traffic? I've installed it on RH5.0 (with kernel 2.0.34) in the following test network. 

    fh1                      gateway                          mh1


(192.168.2.2)       (192.168.2.1) - (192.168.1.1)          (192.168.1.2)


     |               eth1 |               |ipsec0->eth0       |
      --------------------                 -------------------

"gateway" is basically acting as a router between two subnets, with fh1 generating multicast packets that mh1 wants to receive. I've successfully configured ipsec so that unicast packets from fh1 are encrypted by gateway before sending to mh1 where they are decrypted.

With a bit of fudging inside mrouted (running on gateway) I have persuaded it to use ipsec0 instead of eth0. It originally ignored ipsec0 because it discovers eth0 first and uses this for sending to mh1. I'm using the following commands to set things up:

On gateway: 

route add -net 224.0.0.0 netmask 240.0.0.0 dev ipsec0
eroute add 192.168.2.0 255.255.255.0 \
	224.2.194.216 255.255.255.255 
	224.2.194.216 127

spi 224.2.194.216 127 esp des-md5-96 <iv> <key>

On mh1:
spi 224.2.194.216 127 esp des-md5-96 <iv> <key>

224.2.194.216 is the address that the multicast traffic is being sent on
(i.e. destination address)

The problem is that packets don't appear to be going through ipsec processing at all, the traffic is forwarded by gateway without being encrypted (I deleted the SPI on mh1 and the traffic was still being displayed). Running klipsdebug doesn`t help because the packets don't seem to be making it that far.

Do you need help?X

Anyone know what I'm doing wrong? Or where I should be looking to track down the problem... or is the code just not ready to handle multicast? I know that key distribution in multicast is an on-going problem, but that is being done out-of-band, all I need are the encrypted packets :-)

Regards,
Bhrat


Dept. of Computer Science, University College London. http://www.cs.ucl.ac.uk/staff/B.Patel Received on Tue Jun 2 15:40:20 1998

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:22 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library