I'm still trying to make this work, when I ping from OpenBSD system internal facing network to Linux internal network running tcpdump on both systems I see packets entering the OpenBSD enc interface and exiting the OpenWRT xfrn interface. So I know packets are going across the tunnel. Pinging from the other direction nothing.
Your firewall zone hint has me chasing firewall configuration, it is obvious OpenWRT developers could care less about IPsec functionality. If I get it working I will definitely share. 73 diana KI5PGJ On October 19, 2025 6:02:03 PM MDT, Lloyd <[email protected]> wrote: >Diana Eichert wrote: > >> Worse yet when I reach out to people I know >> who use openwrt pretty much say, just use Wireguard. >> >> If anyone out there has configured ipsec >> tunnels between openwrt and OpenBSD I'd appreciate some insight. > >My insight is to use Wireguard, it will preserve your sanity. I have wasted >untold hours on this. > >I have successfully built IPSec tunnels between OpenBSD and just about every >other OS, including Apple and Windows, and they all work fine. Could never get >OpenWRT to work. My impression was the developers don't care enough about >IPSec and their community perceives it as some ancient boomer protocol so >there is zero effort to support it. You will notice IPSec has no support in >the GUI and everything is external packages. IIRC they break IPSec support >into so many sub-packages you never know if you have the full suite of them >installed to ensure full kernel support. Some low-memory devices might not >have enough space for them all. > >FWIW you may want to create a firewall zone for the tunnel and ensure the >firewall allows bidirectional traffic between the zones. > >If you do get this working before giving up you might want to document it >because AFAIK there is no up-to-date public documentation on how to >successfully get IPSec running on OpenWRT. > >Regards >Lloyd >
