Re: Folks anyone have success using sec(4) interfaces on Site to Site VPNs between OpenBSD and Fortinet ?

Wed, 20 Nov 2024 00:31:17 -0800 


> On 20 Nov 2024, at 11:15, Tom Smyth <tom.sm...@wirelessconnect.eu> wrote:
> 
> Hi Folks,
> Thanks for the suggestions... also I have run policy based ipsec
> between fortniet and openbsd and it seemed to work well...
> we just want to run dynamic routing so it is easier have tunnel
> endpoints so that we can use dynamic routing daemons... to fail over
> between vpn endpoints..

yep, makes sense to me.

> running Ikev2  and referencing the sec(4) interface in iked.conf seemed to 
> work,
> 
> myOpenBSD-IP = my local openbsd public  ip
> fortinet-public-ip = public ip of the fortinet customer ..
> 
> Tunnel address local (openbsd)  172.16.1.2      remote
> (fortninet-tunnelendpoint) 172.16.1.1
> 
> iked.conf ---------------------------
> 
> ikev2  esp \
>        from any to any \
>        local  myOpenBSD-IP peer fortinet-public-ip \
>        psk "Big-Secret!" \
>        iface sec1
> 
> -------------------end iked.conf
> 
> 
> ifconfig sec1
> sec1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>        description: ike2-site-site-VPN
>        index 8 priority 0 llprio 3
>        groups: sec
>        inet 172.16.1.2 --> 172.16.1.1 netmask 0xffffffff
> 
> 
> It works ok  .. . feels a little magic :)

you think it should be more complicated and fragile?

> thanks for wrtiting the sec(4) driver and the integration with iked... ipsec
> 
> Much obliged...
> 
> Tom Smyth
> 
> 
> On Tue, 19 Nov 2024 at 12:04, David Gwynne <da...@gwynne.id.au> wrote:
>> 
>> 
>> 
>>> On 19 Nov 2024, at 12:07, Tom Smyth <tom.sm...@wirelessconnect.eu> wrote:
>>> 
>>> Folks
>>> did  anyone have success using sec(4) interfaces on Site to Site VPNs
>>> between OpenBSD and Fortinet ? I want to route via the sec interface
>>> rather than specify static policies in iked.conf
>> 
>> no experience, sorry. if you've ever configured a policy based vpn between 
>> openbsd and a fortinet, then it should be straightforward.
>> 
>>> or should I be using gre(4) gif(4) or some other tunnel device to
>>> bring up an interface which I can put an ip address on and route over
>>> ,
>>> 
>>> any pointers would be really appreciated
>> 
>> gre over ipsec is much more likely to work than gif. i'd argue sec would be 
>> easier because you don't need to know the ips for the tunnel endpoints like 
>> you do for gre (and gif).
>> 
>> cheers,
>> dlg
>> 
>>> 
>>> thanks
>>> 
>>> Tom Smyth
>>> 
>>> 
>>> --
>>> Kindest regards,
>>> Tom Smyth.
>>> 
>> 
> 
> 
> -- 
> Kindest regards,
> Tom Smyth.























					Reply via email to