IPSec with if_ipsec strongswan and dynamic roadwarriors

Andrey V. Elsukov bu7cher at yandex.ru
Sun Apr 28 15:24:23 UTC 2019 

On 28.04.2019 14:50, driesm.michiels at gmail.com wrote:
> Was wondering if it's possible to set-up a route based IPSec VPN with
> Strongswan with if_ipsec in FreeBSD?

We use if_ipsec(4) with Strongswan between offices. But our
configuration is specific. All if_ipsec(4) interfaces are preconfigured
via rc.conf. I.e. all interfaces has configured IP addresses and tunnel
endpoints. Strongswan is used to install security associations.
For each if_ipsec(4) interface we have corresponding entry in ipsec.conf.

 conn some-name-ipsec18
        installpolicy=no
	auto=route
        left=Local-Tunnel-IP-address
        right=Remote-Tunnel-IP-address
        rightid=@some-name-id
        reqid=18

Each interface has unique reqid.

> The caveat that I have are dynamic IP addresses (server (I have DDNS) +
> clients (roadwarriors; mobile, tablet, etc)).
> 
> How should one configure the if_ipsec interface? The Strongswan part is
> relatively straightforward as it takes variables that indicate "%any".
> 
> I found some guides for road warriors with Ubuntu VTI;, they configure it as
> such:
> 
> *	ip tunnel add ipsec0 local 192.168.0.1 remote 0.0.0.0 mode vti key
> 42
> *	Reference:
> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
> 
> So the first address I assume is the left side of the external header (so
> NAT-T is needed) and the remote is a match all policy for the right side.
> 
> Can this be copy pasted on FreeBSD? In other words, is the Ubuntu command
> equivalent to "ifconfig ipsec0 inet tunnel 192.168.0.1 0.0.0.0" for FreeBSD?

This won't work. I think you need to write updown script that will
create corresponding if_ipsec(4) interface on demand and configure it,
i.e. set tunnel addresses and some internal if needed. Note, you need to
use the same reqid for if_ipsec(4) and for "conn" option.

-- 
WBR, Andrey V. Elsukov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20190428/fe1d7c19/attachment.sig>

More information about the freebsd-net mailing list