On 28.04.2019 14:50, driesm.michi...@gmail.com wrote: > Was wondering if it's possible to set-up a route based IPSec VPN with > Strongswan with if_ipsec in FreeBSD?
We use if_ipsec(4) with Strongswan between offices. But our
configuration is specific. All if_ipsec(4) interfaces are preconfigured
via rc.conf. I.e. all interfaces has configured IP addresses and tunnel
endpoints. Strongswan is used to install security associations.
For each if_ipsec(4) interface we have corresponding entry in ipsec.conf.
conn some-name-ipsec18
installpolicy=no
auto=route
left=Local-Tunnel-IP-address
right=Remote-Tunnel-IP-address
rightid=@some-name-id
reqid=18
Each interface has unique reqid.
> The caveat that I have are dynamic IP addresses (server (I have DDNS) +
> clients (roadwarriors; mobile, tablet, etc)).
>
> How should one configure the if_ipsec interface? The Strongswan part is
> relatively straightforward as it takes variables that indicate "%any".
>
> I found some guides for road warriors with Ubuntu VTI;, they configure it as
> such:
>
> * ip tunnel add ipsec0 local 192.168.0.1 remote 0.0.0.0 mode vti key
> 42
> * Reference:
> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>
> So the first address I assume is the left side of the external header (so
> NAT-T is needed) and the remote is a match all policy for the right side.
>
> Can this be copy pasted on FreeBSD? In other words, is the Ubuntu command
> equivalent to "ifconfig ipsec0 inet tunnel 192.168.0.1 0.0.0.0" for FreeBSD?
This won't work. I think you need to write updown script that will
create corresponding if_ipsec(4) interface on demand and configure it,
i.e. set tunnel addresses and some internal if needed. Note, you need to
use the same reqid for if_ipsec(4) and for "conn" option.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
