Date: Tue, 30 Dec 2014 11:09:19 +1100 From: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> To: ari@ish.com.au Cc: freebsd-stable@freebsd.org Subject: Re: ipsec routing issue Message-ID: <54A1ED2F.2070305@heuristicsystems.com.au> In-Reply-To: <AE3247B4-5692-4143-B8D4-3E5783C6F2CF@lists.zabbadoz.net> References: <54A17F33.2020708@ish.com.au> <AE3247B4-5692-4143-B8D4-3E5783C6F2CF@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Ari, Bjoern offers good advise (as usual). This practical example might help, taken from two devices connected to the internet - some numbers and "keys" have obviously been changed to protect the sites concerned. # /etc/ipsec.conf - you should be able to cut/paste and substitute your numbers in this "template" spdadd 101.48.55.78/32[any] 110.92.114.99/32 any -P in ipsec esp/transport/101.48.55.78-110.92.114.99/require; spdadd 110.92.114.99/32[any] 101.48.55.78/32[any] any -P out ipsec esp/transport/110.92.114.99-101.48.55.78/require; spdadd 10.192.0.0/16[any] 10.168.0.0/16[any] any -P in ipsec esp/tunnel/101.48.55.78-110.92.114.99/require; spdadd 10.168.0.0/16[any] 10.192.0.0/16[any] any -P out ipsec esp/tunnel/110.92.114.99-101.48.55.78/require; # These remain the same on the two end-points add 110.92.114.99 101.48.55.78 esp 25131 -E rijndael-cbc "from_here_to_there12345 *"; add 101.48.55.78 110.92.114.99 esp 25136 -E rijndael-cbc "from_there_to_here 12345&"; There is no need to add or change routing nor complicate life with gif. Though you may need to adjust your firewall rules to ipfw add allow esp from 101.48.55.78 to 110.92.114.99 via $internet_interface ipfw add allow esp from 110.92.114.99 to 101.48.55.78 via $internet_interface And it should be noted that when you use enc, that you will need to "ifconfig enc0 up" otherwise its mute. For dynamic addresses, like iphones (ikev1) or windows (ikev2) notebooks, I've found strongswan the tool of choice if you must use the client's native ipsec mechanism. But it is hard to setup, and udp fragmentation may be an issue (as we found because we have large certificates). Merry Christmas, Dewayne.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54A1ED2F.2070305>