Date: Sun, 28 Apr 2019 18:23:01 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: driesm.michiels@gmail.com, freebsd-net@freebsd.org Subject: Re: IPSec with if_ipsec strongswan and dynamic roadwarriors Message-ID: <ef56740d-fd72-80c8-5126-1524b095961b@yandex.ru> In-Reply-To: <001201d4fdb8$93de0d80$bb9a2880$@gmail.com> References: <001201d4fdb8$93de0d80$bb9a2880$@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--P1icVz3NZp31nqdWGifwtXt0Kuf1nym5h
Content-Type: multipart/mixed; boundary="MnZcLzqAnwpUUxpAoV1ckjCx3Q6EaDqf3";
protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: driesm.michiels@gmail.com, freebsd-net@freebsd.org
Message-ID: <ef56740d-fd72-80c8-5126-1524b095961b@yandex.ru>
Subject: Re: IPSec with if_ipsec strongswan and dynamic roadwarriors
References: <001201d4fdb8$93de0d80$bb9a2880$@gmail.com>
In-Reply-To: <001201d4fdb8$93de0d80$bb9a2880$@gmail.com>
--MnZcLzqAnwpUUxpAoV1ckjCx3Q6EaDqf3
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
On 28.04.2019 14:50, driesm.michiels@gmail.com wrote:
> Was wondering if it's possible to set-up a route based IPSec VPN with
> Strongswan with if_ipsec in FreeBSD?
We use if_ipsec(4) with Strongswan between offices. But our
configuration is specific. All if_ipsec(4) interfaces are preconfigured
via rc.conf. I.e. all interfaces has configured IP addresses and tunnel
endpoints. Strongswan is used to install security associations.
For each if_ipsec(4) interface we have corresponding entry in ipsec.conf.=
conn some-name-ipsec18
installpolicy=3Dno
auto=3Droute
left=3DLocal-Tunnel-IP-address
right=3DRemote-Tunnel-IP-address
rightid=3D@some-name-id
reqid=3D18
Each interface has unique reqid.
> The caveat that I have are dynamic IP addresses (server (I have DDNS) +=
> clients (roadwarriors; mobile, tablet, etc)).
>=20
> How should one configure the if_ipsec interface? The Strongswan part is=
> relatively straightforward as it takes variables that indicate "%any".
>=20
> I found some guides for road warriors with Ubuntu VTI;, they configure =
it as
> such:
>=20
> * ip tunnel add ipsec0 local 192.168.0.1 remote 0.0.0.0 mode vti key
> 42
> * Reference:
> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>=20
> So the first address I assume is the left side of the external header (=
so
> NAT-T is needed) and the remote is a match all policy for the right sid=
e.
>=20
> Can this be copy pasted on FreeBSD? In other words, is the Ubuntu comma=
nd
> equivalent to "ifconfig ipsec0 inet tunnel 192.168.0.1 0.0.0.0" for Fre=
eBSD?
This won't work. I think you need to write updown script that will
create corresponding if_ipsec(4) interface on demand and configure it,
i.e. set tunnel addresses and some internal if needed. Note, you need to
use the same reqid for if_ipsec(4) and for "conn" option.
--=20
WBR, Andrey V. Elsukov
--MnZcLzqAnwpUUxpAoV1ckjCx3Q6EaDqf3--
--P1icVz3NZp31nqdWGifwtXt0Kuf1nym5h
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlzFxVUACgkQAcXqBBDI
oXo9hwgAvFMk96xDSTL5EUIdb2jB7PEkDHkjv4kbxMgo/otuIXE8L9o6MpAISQIX
+HtA42DHKxLFU3498HLH10xYjj6MLZpLKk/WoOoGrYs6qzjuIr6SIrtXK0nag3Qj
+A0C8c6iVHThIQ5As8YchjoGBtiG75vTpM+Xo45hlFK/N93BcmTZ9ks4z1whh1YX
4p/0EB/3IuOtY8km6cHrav/OTjkGk4lJk+nKskylU3G0GMO9i5HAKFIfD7w9CaOG
RbxWsqVrPgf+tm4zcHCgmqlgAo/rbBh6AHMAUvPATQ+qkhu/QQcHueb+jdvpl2Ji
/eZBRwNvUT+ZIYBjiHn7KZyfh8MQJQ==
=W7ah
-----END PGP SIGNATURE-----
--P1icVz3NZp31nqdWGifwtXt0Kuf1nym5h--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ef56740d-fd72-80c8-5126-1524b095961b>