I would like to do what is in the MAN IFCONFIG BRIDGE documentation (host-host
tunnel mode, SA's created dynamically via isakmp, between a remote host and an
openbsd bridge "proxy" for a local host) -
link2 Setting this flag causes all packets to be passed on to
ipsec(4)<http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec&sektion=4&arch=&a
propos=0&manpath=OpenBSD+Current>
for processing, based on the policies established by the
administrator using the
ipsecctl(8)<http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecctl&sektion=8&a
rch=&apropos=0&manpath=OpenBSD+Current> command and
ipsec.conf(5)<http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec.conf&sektion
=5&arch=&apropos=0&manpath=OpenBSD+Current>.
If appropriate security associations (SAs) exist, they will be
used to encrypt or decrypt the packets. Otherwise, any key
management daemons such as
isakmpd(8)<http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8&arc
h=&apropos=0&manpath=OpenBSD+Current> that are running on the
bridge will be invoked to establish the necessary SAs. These
daemons have to be configured as if they were running on the
host
whose traffic they are protecting (i.e. they need to have the
appropriate authentication and authorization material, such as
keys and certificates, to impersonate the protected host(s)).
I have not found any specific documentation on how to configure this.
What I have tried does not work.
A posting about 5 years ago asked a similar question and was told it only
worked for manual SA's.
My general question is - does OpenBSD 4.7 support bump-in-the-wire mode IPsec
for a bridge as described by the ifconfig/bridge/link2 parameter above?
My specific question is - are there configuration examples somewhere?
Thank you.
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
