Re: Folks anyone have success using sec(4) interfaces on Site to Site VPNs between OpenBSD and Fortinet ?

Tue, 19 Nov 2024 17:16:29 -0800 

Hi Folks,
Thanks for the suggestions... also I have run policy based ipsec
between fortniet and openbsd and it seemed to work well...
we just want to run dynamic routing so it is easier have tunnel
endpoints so that we can use dynamic routing daemons... to fail over
between vpn endpoints..



running Ikev2  and referencing the sec(4) interface in iked.conf seemed to work,

myOpenBSD-IP = my local openbsd public  ip
fortinet-public-ip = public ip of the fortinet customer ..

Tunnel address local (openbsd)  172.16.1.2      remote
(fortninet-tunnelendpoint) 172.16.1.1

iked.conf ---------------------------

ikev2  esp \
        from any to any \
        local  myOpenBSD-IP peer fortinet-public-ip \
        psk "Big-Secret!" \
        iface sec1

-------------------end iked.conf


ifconfig sec1
sec1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        description: ike2-site-site-VPN
        index 8 priority 0 llprio 3
        groups: sec
        inet 172.16.1.2 --> 172.16.1.1 netmask 0xffffffff


It works ok  .. . feels a little magic :)
thanks for wrtiting the sec(4) driver and the integration with iked... ipsec

Much obliged...

Tom Smyth


On Tue, 19 Nov 2024 at 12:04, David Gwynne <da...@gwynne.id.au> wrote:
>
>
>
> > On 19 Nov 2024, at 12:07, Tom Smyth <tom.sm...@wirelessconnect.eu> wrote:
> >
> > Folks
> > did  anyone have success using sec(4) interfaces on Site to Site VPNs
> > between OpenBSD and Fortinet ? I want to route via the sec interface
> > rather than specify static policies in iked.conf
>
> no experience, sorry. if you've ever configured a policy based vpn between 
> openbsd and a fortinet, then it should be straightforward.
>
> > or should I be using gre(4) gif(4) or some other tunnel device to
> > bring up an interface which I can put an ip address on and route over
> > ,
> >
> > any pointers would be really appreciated
>
> gre over ipsec is much more likely to work than gif. i'd argue sec would be 
> easier because you don't need to know the ips for the tunnel endpoints like 
> you do for gre (and gif).
>
> cheers,
> dlg
>
> >
> > thanks
> >
> > Tom Smyth
> >
> >
> > --
> > Kindest regards,
> > Tom Smyth.
> >
>


-- 
Kindest regards,
Tom Smyth.

Reply via email to