On 9/28/24 04:10, Janne Johansson wrote:
Den fre 27 sep. 2024 kl 20:05 skrev Boyd Stephens <bsteph...@netelysis.com>:
I desired to destroy and recreate enc0 but if memory serves me correctly
the enc0 interface always exists and cannot be destroyed using ifconfig.
I have inferred from this(and possibly incorrectly) that the only way
to destroy and reestablish enc0 is through a reboot.
Sorry that this is not helping you solve your particular issue, but I
noticed this part above.
You make it sound like (not trying to put words in your mouth, only
how I perceived it) as if enc0 relates to an ipsec tunnel as for
instance a tun or tap device relates to say an OpenVPN tunnel. It does
not.
The enc0 interface exists so that when traffic gets decapsulated on
the way in, it has to "come" from somewhere. The actual physical
interface on where the AH/ESP packet arrived on is not interesting
(anymore) after decryption, so if you want to filter with pf or
tcpdump, you need an interface to refer to for the cleartext traffic.
Same goes for outwards traffic of course, it gets fed "into" enc0 and
after encryption it will exit via some other interface.
Now, if you only run a simple setup with one ipsec flow/sa, it might
feel like it is "the same" as openvpn/tun with one tunnel and one
special-interface but if you set up more than one ipsec, you still see
all encapsulated traffic pass via enc0, whereas on openvpn tunnels you
would set up one tun/tap for each tunnel.
So what this means is that the enc0 is rather a special meta-device
for all cleartext ipsec traffic and you should really not need to
think about destroying and re-creating it in the same sense as if it
was openvpn+tun0 or wireguard + wg0 or something like that. At least
not for clearing configs.
Perhaps I have misunderstood your "mistake" here and then my message
might at least help someone else understand enc0 slightly better, and
regardless of if this helps you understand it better or not I hope
your problem gets solved without needing reboots to "clear" the
interface, since that should really not be necessary.
Janne,
Thank you for your response.
I cannot say that what you shared was the line of thinking that
possessed me in my previous correspondence but I AM SURELY GLAD that you
possibly THOUGHT that my analysis path was in this particular space.
Your feedback and input is full of a number of technical jewels that I
genuinely found, and I am sure others will find, helpful.
The content especially resonates with our small team due to the fact
that one of our largest customer's wan deployment heavily leans on the
openvpn platform thus we have a tad-bit of a familiarity with that
particular technology's inner workings.
Concerning the original issue, earlier in the day I believe that we may
have turned a corner in finding a resolution. Once our team is able to
test out the validity of the solution I will look to post the details of
our findings to this thread.
Thanks again for sharing your insight.
------
Bro Boyd
I85Cyber.org
