Date: Sun, 28 Apr 2019 13:50:28 +0200 From: <driesm.michiels@gmail.com> To: <freebsd-net@freebsd.org> Subject: IPSec with if_ipsec strongswan and dynamic roadwarriors Message-ID: <001201d4fdb8$93de0d80$bb9a2880$@gmail.com>
next in thread | raw e-mail | index | archive | help
Hi net mailing list, Was wondering if it's possible to set-up a route based IPSec VPN with Strongswan with if_ipsec in FreeBSD? The caveat that I have are dynamic IP addresses (server (I have DDNS) + clients (roadwarriors; mobile, tablet, etc)). How should one configure the if_ipsec interface? The Strongswan part is relatively straightforward as it takes variables that indicate "%any". I found some guides for road warriors with Ubuntu VTI;, they configure it as such: * ip tunnel add ipsec0 local 192.168.0.1 remote 0.0.0.0 mode vti key 42 * Reference: https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN So the first address I assume is the left side of the external header (so NAT-T is needed) and the remote is a match all policy for the right side. Can this be copy pasted on FreeBSD? In other words, is the Ubuntu command equivalent to "ifconfig ipsec0 inet tunnel 192.168.0.1 0.0.0.0" for FreeBSD? The if_ipsec of FreeBSD also takes the inet configuration, which is if I'm correct the internal headers of the packets. This is where Ubuntu has to add a static route, although for FreeBSD this would be set up automatically as we define this on our ipsec0 interface. Thanks for shining some light on this!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001201d4fdb8$93de0d80$bb9a2880$>