Hi Aaron,

Thanks! I also tried gif. But the behavior is quite weird. Through the gif 
devices, the gateway and VPN server can ping each other, while the packets on 
gateway enc0 from the client routing to the gif device always got bad 
checksums. I think it is related to the bugs on gif(4) man page?

"There are many tunnelling protocol specifications, defined differently from 
each other. gif may not interoperate with peers which are based on different 
specifications, and are picky about outer header fields. For example, you 
cannot usually use gif to talk with IPsec devices that use IPsec tunnel mode.”

[Gateway] /etc/hostname.gif0:

[VPN server] /etc/hostname.gif0:

Best regards,

> On Dec 12, 2018, at 7:39 PM, Aaron Mason <simplersolut...@gmail.com> wrote:
> Hi Siegfried
> (Maintainers of the IPSec stack and ISAKMPD are welcome to tear my answer 
> apart)
> IPSec tunnels are, for want of a better term, entirely transparent -
> the underlying OS and its clients have no idea that it exists.  In
> order to route across an IPSec tunnel, use gif(4) to create an
> IP-to-IP tunnel between the endpoints.  IPSec will encrypt all traffic
> that goes across it - from there it's a matter of setting up the
> static routes on either side.
> On Wed, Dec 12, 2018 at 7:40 AM Zhi-Qiang Lei <zhiqiang....@gmail.com> wrote:
>> I’m building a gateway to encrypt some traffics:
>>     Client —————> Gateway —————> VPN Server —————> Internet
>> (             (
>> [Gateway] /etc/iked.conf:
>> ikev2 quick active ipcomp esp \
>>        from to \
>>        local egress peer $vpn_server_ip \
>>        ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group 
>> curve25519 \
>>        childsa enc chacha20-poly130 group curve25519 \
>>        dstid "asgard.local"
>> [VPN Server] /etc/iked.conf:
>> ikev2 quick passive ipcomp esp \
>>        from to \
>>        local egress \
>>        ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group 
>> curve25519 \
>>        childsa enc chacha20-poly130 group curve25519 \
>>        dstid "blackjack.local"
>> The SA has been established. When I ping on VPN Server and tcpdump 
>> on gateway enc0 I got:
>> # tcpdump -envps 1500 -i enc0 -l
>> tcpdump: listening on enc0, link-type ENC
>> 03:48:20.778584 (authentic,confidential): SPI 0x7f27bd3b: $vpn_server_ip > 
>> $gateway_ip: $vpn_server_ip > icmp: echo request (id:4656 seq:0) 
>> [icmp cksum ok] (ttl 255, id 60419, len 84) (ttl 50, id 59144, len 104)
>> 03:48:21.788330 (authentic,confidential): SPI 0x7f27bd3b: $vpn_server_ip > 
>> $gateway_ip: $vpn_server_ip > icmp: echo request (id:4656 seq:1) 
>> [icmp cksum ok] (ttl 255, id 1688, len 84) (ttl 50, id 31496, len 104)
>> How can I route the packets from the client to the VPN server on the 
>> gateway? When I was using OpenVPN, I did the routing in pf.conf:
>> pass in quick from to ! route-to tun0
>> pass out quick on tun0 from to any nat-to tun0
>> However, there is no tunnel device created after the SA is established on 
>> OpenBSD. Did I miss something to create it?
>> Best regards,
>> Siegfried
> -- 
> Aaron Mason - Programmer, open source addict
> I've taken my software vows - for beta or for worse

Reply via email to