check brconfig(8)
link2 Setting this flag causes all packets to be passed on to ipsec(4)
for processing, based on the policies established by the adminis-
trator using the ipsecadm(8) command. If appropriate security
associations (SAs) exist, they will be used to encrypt or decrypt
the packets. Otherwise, any key management daemons such as
isakmpd(8) that are running on the bridge will be invoked to es-
tablish the necessary SAs. These daemons have to be configured
as if they were running on the host whose traffic they are pro-
tecting (i.e., they need to have the appropriate authentication
and authorization material, such as keys and certificates, to im-
personate the protected host(s)).
however, AFAIK, it's only working with static IPsec keys.
On Wed, Jul 20, 2005 at 01:56:47AM +0200, Juraj Bednar wrote:
> Hello,
>
> I'm fairly new to OpenBSD. I need to create a simple IPSec setup,
> which is (as I learned) called "bump-in-the-wire". Basically, I have
> OpenBSD box with two ethernet interfaces bridged together. I want to
> protect communication with one particular server in _transport_ mode
> with IPSec. That means creating a security association and
> establishing connection. I was not able to find a good documentation
> on how to do this.
>
>
> IP1 <-----(openbsd bridge)------> IP2
> ^ ^
> safe ethernet not safe ethernet
>
> openbsd bridge does not have an ip address. If it sees that there's a
> packet coming to IP2, it quickly establishes an IPSec SA in transport
> mode with just this single IP address and sends all the packets
> encrypted. So the communication between IP1 and IP2 never goes
> unencrypted through unsafe ethernet. It should pass all other traffic
> unmodified.
>
> Is there some example setup or any pointer how could I make this work?
>
> I found about the terminology and this possibility here:
> http://www.thought.net/jason/bridgepaper/node9.html
>
> but there's no documentation on how to actually do this :(. Simple
> googling did not help.
>
>
> Thanks,
>
> Juraj.
