IPSEC tunnels
Jan Bramkamp
crest at rlwinm.de
Mon Apr 11 09:02:53 UTC 2016
On 10/04/16 22:25, Wojciech Puchar wrote:
>> dealing with layer 3 so you cant use normal port forwarding for the
>> tunnel
>> traffic. The key exchange is less problematic. It was a bit of a head
>> ache,
>> and if you can avoid the NAT you will be far better off.
>
> If i can avoid NAT i would use available FreeBSD IPSEC tunnel guides :)
A lot of the documentation floating around on FreeBSD and IPsec is
rather dated and uses racoon for IKEv1 over IPv4 in *tunneling* mode to
implement a site to site VPN.
I recommend that you take a look at strongSwan instead of racoon and use
it to configure IKEv2 over IPv6 (or IPv4) in *transport* mode to protect
a GRE tunnel. From the IPsec viewpoint the GRE tunnel is just a payload
in transport mode. From the viewpoint of the rest of FreeBSD IP stack it
is a routeable network (pseudo-)interface. In this setup you can treat
your IPsec protected tunnels like any other tunnel interface and use a
dynamic routing protocol to keep your sites connected in the face of
failing tunnels. IPsec with IKEv2 can work through a NAT by
encapsulating the ESP packets in UDP but it's easier if at least on site
has a public static IP address.
Which interior gateway protocol (IGP) are you using?
More information about the freebsd-hackers
mailing list