Dnia piątek, 21 lipca 2017 17:09:35 CEST Eugene Grosbein pisze: > 20.07.2017 23:17, Kajetan Staszkiewicz пишет: > > Hey group, > > > > Can I somehow make IPsec encryption to happen AFTER routing decision and > > ensure that it happens only when traffic leaves via specified interface? > > You may want to upgrade to 11.1-RELEASE and utilize its new if_ipsec(4) > feature targeted for creating route-based VPNs. > > https://www.freebsd.org/cgi/man.cgi?query=if_ipsec&apropos=0&sektion=0&manpa > th=FreeBSD+11.1-RELEASE&arch=default&format=html
This seems promising. I understand that it would replace if_enc which I have enabled to properly firewall tunnel mode IPsec. I also run multiple gif + transport mode tunnels, those never needed if_enc and were never prone to bug 220217. Now with if_enc the de-IPsec-ed gif traffic passes via single common enc0. I would be so happy to get rid of if_enc again. Unfortunately I don't see much information how to make it work with Strongswan. Any hints? -- | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------'
signature.asc
Description: This is a digitally signed message part.
