On 2019-01-10, Daniel Ouellet <dan...@presscom.net> wrote: >> OpenBSD's implementation of ipsec doesn't use the routing table, if you >> want that (unless you make code changes) you will need to use a >> different tunnel interface (gif or others) and just use ipsec to protect >> the gif traffic. > > The point is to keep the configuration simple and gif doesn't make it > so. But when the source is with changing IP's often it end up not being > very possible is it... > > So not really an option. > > May be time to check wireguard instead then. But not having it into the > kernel or fully mature yet on OpenBSD is also limiting.
Or OpenVPN, or openconnect/ocserv, or ssh vpn, or strongswan, or [...] >> Sounds like you want bypass flows for 66.63.44.96/27 <> 66.63.44.64/27. >> IIRC you can still use ipsecctl/ipsec.conf to configure them even >> with iked running (the only bypass flows iked will add itself are the >> automatic "mess with v6 traffic" ones, there's no iked.conf way to do >> this flexibly). > > The point of ikev2 was to keep things simple and light. Doing the full > ipsec even doable is really a real pain in the butts. ikev2 is full ipsec. Maybe you misunderstood - I am just talking about a couple of lines in ipsec.conf to setup the bypass flow, but still use iked for the actual vpn connection.
