From owner-freebsd-net@freebsd.org Sun Apr 28 11:50:31 2019 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C205F157B573 for ; Sun, 28 Apr 2019 11:50:31 +0000 (UTC) (envelope-from driesm.michiels@gmail.com) Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 351548FAF6 for ; Sun, 28 Apr 2019 11:50:30 +0000 (UTC) (envelope-from driesm.michiels@gmail.com) Received: by mail-ed1-x52e.google.com with SMTP id i13so6763558edf.11 for ; Sun, 28 Apr 2019 04:50:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version:thread-index :content-language; bh=4TvI4hxYPEAd5WEftTS7yVOEtVZNsYcNHfaAcu/ki9o=; b=X4CmxPpN3P/8/gMn0Yo6rU82xZTYrXNyahX5x3sxTv/KaZtwsYbIY4gp+dB1EOs/WS 4PGezkuJnUU9oODxJQZjQEViYtbI3yLVeDaSTyEMCXlh+bqAc+QOjpB7/LS3/C4Ig7eQ YFlempKmxxghv9FvlOnmxEoZm67JqupoD18usZoO7jBi91JTimoETM+p8r+coz22F1hd IqPNUud3cSKue9DWfsBnkrl6fHhii0fY2ltSzxbL4bya9iOMVbSzxYVrt7za4hWU1i2t u7Yw9GgZTbxrjxFYxLaCrVMpT7qZRMYt727I0eAedSyCeTn3OkjqW8Wsi5smTfBLh7bK Au+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :thread-index:content-language; bh=4TvI4hxYPEAd5WEftTS7yVOEtVZNsYcNHfaAcu/ki9o=; b=qZF6nAhszM7fuN1TIBvDx296vxgLKzksszNwztjn+/c5MGAMb1TfxdiPyMIGrbB11Z uMAuVHdfYvMoyOSynfbaRt9jOToihADzaIlgmK675o4G/kA/g1/ogiCx44dWP9r5/VwZ dyOAUiR97SWIec8H84vOiLdEuThpdBlnulGilm31ioXdAMvmlOWYCNuFAsotR5fis+0G 5Of5pjIdkSVnXb5qDO4wpFVM+aplAsL/S7qS1A/ZDINjjepA1//SS7MoT8zV2zgrNxzC 4pL7TpDxeTs+c9XZk8NsNRbgrIilLRIZ/XClDsJjVN9icn+bpvA9Nowawn8ZC2jyddYP yjVg== X-Gm-Message-State: APjAAAVe8hvgXk8yEu4+gAREuJg/yW7GbNTQUE8c2NClLAHzcDsamzv2 ZuTY2gR/V2O4z0VT+J02QHdZ0cqv7vo= X-Google-Smtp-Source: APXvYqzcPG3bMeUEO3uu0UvEziF2Lql7CQeI1dXX9zHhKBKG1QkeMWsgiSei1dPKtKY1DxkZeVjo3Q== X-Received: by 2002:a50:9266:: with SMTP id j35mr8065934eda.60.1556452228481; Sun, 28 Apr 2019 04:50:28 -0700 (PDT) Received: from DRIESPC (ptr-8shv4c6wg80wo1479cc.18120a2.ip6.access.telenet.be. [2a02:1811:2500:a900:2985:f7da:81d7:d30c]) by smtp.gmail.com with ESMTPSA id k13sm2293254edn.49.2019.04.28.04.50.27 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 28 Apr 2019 04:50:27 -0700 (PDT) From: To: Subject: IPSec with if_ipsec strongswan and dynamic roadwarriors Date: Sun, 28 Apr 2019 13:50:28 +0200 Message-ID: <001201d4fdb8$93de0d80$bb9a2880$@gmail.com> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdT9t6Qj/q1rm7KhStWosMZSDV9czw== Content-Language: nl-be X-Rspamd-Queue-Id: 351548FAF6 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=X4CmxPpN; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of driesmmichiels@gmail.com designates 2a00:1450:4864:20::52e as permitted sender) smtp.mailfrom=driesmmichiels@gmail.com X-Spamd-Result: default: False [-4.75 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(0.00)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; RBL_SEM_IPV6(1.00)[e.2.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.bl.ipv6.spameatingmonkey.net]; DKIM_TRACE(0.00)[gmail.com:+]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; DMARC_POLICY_ALLOW(0.00)[gmail.com,none]; NEURAL_HAM_SHORT(-0.99)[-0.990,0]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(0.00)[gmail.com:s=20161025]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(-2.75)[ip: (-9.09), ipnet: 2a00:1450::/32(-2.32), asn: 15169(-2.27), country: US(-0.06)]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; BAD_REP_POLICIES(0.10)[]; RCVD_IN_DNSWL_NONE(0.00)[e.2.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; FROM_NO_DN(0.00)[] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Apr 2019 11:50:32 -0000 Hi net mailing list, Was wondering if it's possible to set-up a route based IPSec VPN with Strongswan with if_ipsec in FreeBSD? The caveat that I have are dynamic IP addresses (server (I have DDNS) + clients (roadwarriors; mobile, tablet, etc)). How should one configure the if_ipsec interface? The Strongswan part is relatively straightforward as it takes variables that indicate "%any". I found some guides for road warriors with Ubuntu VTI;, they configure it as such: * ip tunnel add ipsec0 local 192.168.0.1 remote 0.0.0.0 mode vti key 42 * Reference: https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN So the first address I assume is the left side of the external header (so NAT-T is needed) and the remote is a match all policy for the right side. Can this be copy pasted on FreeBSD? In other words, is the Ubuntu command equivalent to "ifconfig ipsec0 inet tunnel 192.168.0.1 0.0.0.0" for FreeBSD? The if_ipsec of FreeBSD also takes the inet configuration, which is if I'm correct the internal headers of the packets. This is where Ubuntu has to add a static route, although for FreeBSD this would be set up automatically as we define this on our ipsec0 interface. Thanks for shining some light on this!