Hi Siegfried (Maintainers of the IPSec stack and ISAKMPD are welcome to tear my answer apart)
IPSec tunnels are, for want of a better term, entirely transparent - the underlying OS and its clients have no idea that it exists. In order to route across an IPSec tunnel, use gif(4) to create an IP-to-IP tunnel between the endpoints. IPSec will encrypt all traffic that goes across it - from there it's a matter of setting up the static routes on either side. On Wed, Dec 12, 2018 at 7:40 AM Zhi-Qiang Lei <zhiqiang....@gmail.com> wrote: > > I’m building a gateway to encrypt some traffics: > > Client —————> Gateway —————> VPN Server —————> Internet > (192.168.1.16) (10.0.0.2) > > > [Gateway] /etc/iked.conf: > > ikev2 quick active ipcomp esp \ > from 10.0.0.2 to 0.0.0.0/0 \ > local egress peer $vpn_server_ip \ > ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group > curve25519 \ > childsa enc chacha20-poly130 group curve25519 \ > dstid "asgard.local" > > [VPN Server] /etc/iked.conf: > > ikev2 quick passive ipcomp esp \ > from 0.0.0.0/0 to 10.0.0.2 \ > local egress \ > ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group > curve25519 \ > childsa enc chacha20-poly130 group curve25519 \ > dstid "blackjack.local" > > The SA has been established. When I ping 10.0.0.2 on VPN Server and tcpdump > on gateway enc0 I got: > > # tcpdump -envps 1500 -i enc0 -l > tcpdump: listening on enc0, link-type ENC > 03:48:20.778584 (authentic,confidential): SPI 0x7f27bd3b: $vpn_server_ip > > $gateway_ip: $vpn_server_ip > 10.0.0.2: icmp: echo request (id:4656 seq:0) > [icmp cksum ok] (ttl 255, id 60419, len 84) (ttl 50, id 59144, len 104) > 03:48:21.788330 (authentic,confidential): SPI 0x7f27bd3b: $vpn_server_ip > > $gateway_ip: $vpn_server_ip > 10.0.0.2: icmp: echo request (id:4656 seq:1) > [icmp cksum ok] (ttl 255, id 1688, len 84) (ttl 50, id 31496, len 104) > > How can I route the packets from the client to the VPN server on the gateway? > When I was using OpenVPN, I did the routing in pf.conf: > > pass in quick from 192.168.1.0/24 to !192.168.1.0/24 route-to tun0 > pass out quick on tun0 from 192.168.1.0/24 to any nat-to tun0 > > However, there is no tunnel device created after the SA is established on > OpenBSD. Did I miss something to create it? > > Best regards, > Siegfried > > > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
