Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 21 Jul 2017 18:05:01 +0200
From:      Kajetan Staszkiewicz <vegeta@tuxpowered.net>
To:        Eugene Grosbein <eugen@grosbein.net>
Cc:        FreeBSD Net <freebsd-net@freebsd.org>
Subject:   Re: ipsec encryption only via given route
Message-ID:  <5382298.hL91o62syh@energia>
In-Reply-To: <5971D2DF.6030904@grosbein.net>
References:  <3526072.muFbfPklCK@energia> <5971D2DF.6030904@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
--nextPart7082166.ChG8rV0ejj
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"

Dnia pi=C4=85tek, 21 lipca 2017 17:09:35 CEST Eugene Grosbein pisze:
> 20.07.2017 23:17, Kajetan Staszkiewicz =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
> > Hey group,
> >=20
> > Can I somehow make IPsec encryption to happen AFTER routing decision and
> > ensure that it happens only when traffic leaves via specified interface?
>=20
> You may want to upgrade to 11.1-RELEASE and utilize its new if_ipsec(4)
> feature targeted for creating route-based VPNs.
>=20
> https://www.freebsd.org/cgi/man.cgi?query=3Dif_ipsec&apropos=3D0&sektion=
=3D0&manpa
> th=3DFreeBSD+11.1-RELEASE&arch=3Ddefault&format=3Dhtml

This seems promising. I understand that it would replace if_enc which I hav=
e =20
enabled to properly firewall tunnel mode IPsec.

I also run multiple gif + transport mode tunnels, those never needed if_enc=
=20
and were never prone to bug 220217. Now with if_enc the de-IPsec-ed gif=20
traffic passes via single common enc0. I would be so happy to get rid of=20
if_enc again.

Unfortunately I don't see much information how to make it work with=20
Strongswan. Any hints?

=2D-=20
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
|  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
|        Vegeta          | www: http://vegeta.tuxpowered.net     |
`------------------------^---------------------------------------'
--nextPart7082166.ChG8rV0ejj
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCWXImLQAKCRDjtFCvbXs6
FPIWAKCfY5DZReYXIFdaUFwj66FZO4mmuACeLCIT4Bg1ItJ5ymUr0twaMdDKs0A=
=Nzud
-----END PGP SIGNATURE-----

--nextPart7082166.ChG8rV0ejj--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5382298.hL91o62syh>