IPSec with if_ipsec strongswan and dynamic roadwarriors
driesm.michiels at gmail.com
driesm.michiels at gmail.com
Sun Apr 28 11:50:32 UTC 2019
Hi net mailing list,
Was wondering if it's possible to set-up a route based IPSec VPN with
Strongswan with if_ipsec in FreeBSD?
The caveat that I have are dynamic IP addresses (server (I have DDNS) +
clients (roadwarriors; mobile, tablet, etc)).
How should one configure the if_ipsec interface? The Strongswan part is
relatively straightforward as it takes variables that indicate "%any".
I found some guides for road warriors with Ubuntu VTI;, they configure it as
such:
* ip tunnel add ipsec0 local 192.168.0.1 remote 0.0.0.0 mode vti key
42
* Reference:
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
So the first address I assume is the left side of the external header (so
NAT-T is needed) and the remote is a match all policy for the right side.
Can this be copy pasted on FreeBSD? In other words, is the Ubuntu command
equivalent to "ifconfig ipsec0 inet tunnel 192.168.0.1 0.0.0.0" for FreeBSD?
The if_ipsec of FreeBSD also takes the inet configuration, which is if I'm
correct the internal headers of the packets.
This is where Ubuntu has to add a static route, although for FreeBSD this
would be set up automatically as we define this on our ipsec0 interface.
Thanks for shining some light on this!
More information about the freebsd-net
mailing list