IPsec vs ssh

To: NetBSD Networking Technical Discussion List <tech-net%NetBSD.org@localhost>
Subject: IPsec vs ssh
From: Darren Reed <darrenr%netbsd.org@localhost>
Date: Mon, 11 Nov 2013 01:39:36 +1100

I'm experimenting with IPsec and have found that once I have
a tunnel working between a pair of NetBSD hosts running IPsec,
I can no longer ssh directly from one to the other - or that
once I load ipsec.conf, ssh sessions freeze.

The reason for this is that I suspect the SPD (ipsec.conf)
ends up specifying that the packets for ssh between the two
hosts are to be encrypted and wrapped up by each end point
before being sent to the other end.

The man page for setkey seems to suggest that there is a priority
mechanism that would allow me to create a "none" SPD for ssh
packets but setkey on NetBSD doesn't support this. If I understand
correctly, if it was present then I would do something like this:

spdadd A.B.C.D/32 E.F.G.0/24 any -P in priority low ipsec 
esp/tunnel/A.B.C.D-E.F.G.H/require;
spdadd E.F.G.0/24 A.B.C.D/32 any -P out priority low ipsec 
esp/tunnel/E.F.G.H-A.B.C.D/require;
spdadd A.B.C.D/32[22] E.F.G.0/24[any] tcp -P in priority high none;
spdadd E.F.G.0/24[any] A.B.C.D/32[22] tcp -P out priority high none;

So that the policy for packets matching ssh have a higher priority than
the others and result in no action being taken by IPsec with them.

Some questions..

1) How do I enable priority policies in NetBSD?
2) Will they work if I do enable them?
3) Is there another way to achieve this?

Darren

Follow-Ups:
- IPsec NAT-T to IPsec NAT-T
  - From: Darren Reed
- Re: IPsec vs ssh
  - From: Greg Troxel
- Re: IPsec vs ssh
  - From: Thor Lancelot Simon
- Re: IPsec vs ssh
  - From: John Nemeth

Prev by Date: Re: cubic patch
Next by Date: Re: IPsec vs ssh
Previous by Thread: cubic patch
Next by Thread: Re: IPsec vs ssh
Indexes:

Home | Main Index | Thread Index | Old Index