Date: Fri, 21 Jul 2017 18:05:01 +0200 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: Eugene Grosbein <eugen@grosbein.net> Cc: FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: ipsec encryption only via given route Message-ID: <5382298.hL91o62syh@energia> In-Reply-To: <5971D2DF.6030904@grosbein.net> References: <3526072.muFbfPklCK@energia> <5971D2DF.6030904@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Dnia piątek, 21 lipca 2017 17:09:35 CEST Eugene Grosbein pisze: > 20.07.2017 23:17, Kajetan Staszkiewicz пишет: > > Hey group, > > > > Can I somehow make IPsec encryption to happen AFTER routing decision and > > ensure that it happens only when traffic leaves via specified interface? > > You may want to upgrade to 11.1-RELEASE and utilize its new if_ipsec(4) > feature targeted for creating route-based VPNs. > > https://www.freebsd.org/cgi/man.cgi?query=if_ipsec&apropos=0&sektion=0&manpa > th=FreeBSD+11.1-RELEASE&arch=default&format=html This seems promising. I understand that it would replace if_enc which I have enabled to properly firewall tunnel mode IPsec. I also run multiple gif + transport mode tunnels, those never needed if_enc and were never prone to bug 220217. Now with if_enc the de-IPsec-ed gif traffic passes via single common enc0. I would be so happy to get rid of if_enc again. Unfortunately I don't see much information how to make it work with Strongswan. Any hints? -- | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCWXImLQAKCRDjtFCvbXs6 FPIWAKCfY5DZReYXIFdaUFwj66FZO4mmuACeLCIT4Bg1ItJ5ymUr0twaMdDKs0A= =Nzud -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5382298.hL91o62syh>