ipsec encryption only via given route
Kajetan Staszkiewicz
vegeta at tuxpowered.net
Fri Jul 21 16:05:17 UTC 2017
Dnia piątek, 21 lipca 2017 17:09:35 CEST Eugene Grosbein pisze:
> 20.07.2017 23:17, Kajetan Staszkiewicz пишет:
> > Hey group,
> >
> > Can I somehow make IPsec encryption to happen AFTER routing decision and
> > ensure that it happens only when traffic leaves via specified interface?
>
> You may want to upgrade to 11.1-RELEASE and utilize its new if_ipsec(4)
> feature targeted for creating route-based VPNs.
>
> https://www.freebsd.org/cgi/man.cgi?query=if_ipsec&apropos=0&sektion=0&manpa
> th=FreeBSD+11.1-RELEASE&arch=default&format=html
This seems promising. I understand that it would replace if_enc which I have
enabled to properly firewall tunnel mode IPsec.
I also run multiple gif + transport mode tunnels, those never needed if_enc
and were never prone to bug 220217. Now with if_enc the de-IPsec-ed gif
traffic passes via single common enc0. I would be so happy to get rid of
if_enc again.
Unfortunately I don't see much information how to make it work with
Strongswan. Any hints?
--
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170721/a646add9/attachment.sig>
More information about the freebsd-net
mailing list