Hi David , Thanks for your feedback re reasoning for routed interface vs policy config re your question,... >you think it should be more complicated and fragile? I was expecting it to be more complicated [… and definitely don't want it to be fragile...
Ill re-review the manual pages... to see if I can understand it better or help improve the manual pages... Thanks again, when are you coming to Ireland for a few pints and a bit of coding ... and a few pints :) I think I owe you a few beers at the very least... On Wed, 20 Nov 2024 at 08:22, David Gwynne <da...@gwynne.id.au> wrote: > > > > > On 20 Nov 2024, at 11:15, Tom Smyth <tom.sm...@wirelessconnect.eu> wrote: > > > > Hi Folks, > > Thanks for the suggestions... also I have run policy based ipsec > > between fortniet and openbsd and it seemed to work well... > > we just want to run dynamic routing so it is easier have tunnel > > endpoints so that we can use dynamic routing daemons... to fail over > > between vpn endpoints.. > > yep, makes sense to me. > > > running Ikev2 and referencing the sec(4) interface in iked.conf seemed to > > work, > > > > myOpenBSD-IP = my local openbsd public ip > > fortinet-public-ip = public ip of the fortinet customer .. > > > > Tunnel address local (openbsd) 172.16.1.2 remote > > (fortninet-tunnelendpoint) 172.16.1.1 > > > > iked.conf --------------------------- > > > > ikev2 esp \ > > from any to any \ > > local myOpenBSD-IP peer fortinet-public-ip \ > > psk "Big-Secret!" \ > > iface sec1 > > > > -------------------end iked.conf > > > > > > ifconfig sec1 > > sec1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 > > description: ike2-site-site-VPN > > index 8 priority 0 llprio 3 > > groups: sec > > inet 172.16.1.2 --> 172.16.1.1 netmask 0xffffffff > > > > > > It works ok .. . feels a little magic :) > > you think it should be more complicated and fragile? > > > thanks for wrtiting the sec(4) driver and the integration with iked... ipsec > > > > Much obliged... > > > > Tom Smyth > > > > > > On Tue, 19 Nov 2024 at 12:04, David Gwynne <da...@gwynne.id.au> wrote: > >> > >> > >> > >>> On 19 Nov 2024, at 12:07, Tom Smyth <tom.sm...@wirelessconnect.eu> wrote: > >>> > >>> Folks > >>> did anyone have success using sec(4) interfaces on Site to Site VPNs > >>> between OpenBSD and Fortinet ? I want to route via the sec interface > >>> rather than specify static policies in iked.conf > >> > >> no experience, sorry. if you've ever configured a policy based vpn between > >> openbsd and a fortinet, then it should be straightforward. > >> > >>> or should I be using gre(4) gif(4) or some other tunnel device to > >>> bring up an interface which I can put an ip address on and route over > >>> , > >>> > >>> any pointers would be really appreciated > >> > >> gre over ipsec is much more likely to work than gif. i'd argue sec would > >> be easier because you don't need to know the ips for the tunnel endpoints > >> like you do for gre (and gif). > >> > >> cheers, > >> dlg > >> > >>> > >>> thanks > >>> > >>> Tom Smyth > >>> > >>> > >>> -- > >>> Kindest regards, > >>> Tom Smyth. > >>> > >> > > > > > > -- > > Kindest regards, > > Tom Smyth. > -- Kindest regards, Tom Smyth.
