Eugene Grosbein wrote: > > > IPSec per se does not use or require interfaces, unless you first > > configure gif/gre tunnels and then encrypt traffic between tunnel > > endpoints in IPSec transport mode. > > There is also if_ipsec(4), too.
Oh, I forgot about this recent addition. It was a really good design idea, thank you for reminding me. I now even remember discussing it with Andrey in his LJ and suggesting a small cosmetic feature which he implemented by my request. Have you tried in in production? What does it do to the MTU? > > > I wonder if the same approach will not work with OpenVPN's tap/tun > > interfaces > > (I have not tried, so maybe not). > > I tried and it won't work within single OpenVPN instance and that's unusually > hard > and meaningless with multiple OpenVPN instances just because OpenVPN was not > designed > to interact with other system parts. Thanks, I will now know and avoid such configurations. > > >> to process with SNMP agent/routing daemon/packet filters etc. because > >> distinct OpenVPN instances cannot share routing correctly in beetween. > > > > IPSec is oblivious to routing too. It just encrypts/decrypts packets > > according to the SPD. > > Yes, IPSec does not try to be the single combine for encryption, and to > interface manipulation, > and to routing propagation. But it combines with additional subsystems just > fine. > > >> In short, OpenVPN just is not designed to play nice and > >> standard-compiliant way > >> with other parts of the system and sometimes that's unacceptable. > >> And sometimes that's irrelevant. > > > > When I had to setup a VPN with a Macintosh user (road warrior), I > > found out that an IPSec VPN would be beyond my mental abilities as I > > could not wrap my head around the correct racoon and mpd5 > > authentication setup between FreeBSD and Mac. That's for all the talk > > about being standard-compliant. OpenVPN saved me. > > Hmm, I got no problems to make such setup. I use single IPSec shared secret > for whole group of roaming users to encrypt their initial fraffic > and distinct login/password pairs in the mpd.secret file for CHAP-based > authentication within L2TP tunnels before assignment of internal IP addresses. And what does it look like (both shared secret and login/password) from the point of view of a Windows/Mac client? > > You can find my letter to RU.UNIX.BSD of Juny 20 with subject "Re: > STABLE+IPSEC" > describing this setup. May I ask you kindly to publish a howto in your LJ? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859 _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
