Hi,
I haven't heard anyone mention the OpenBSD sec interface yet.
It was introduced to OpenBSD to allow route based VPN instead of policy
based VPNs.
Route based VPN's have made my life easier and is definately something
that made me love OpenBSD even more.
I have connected to Sophos endpoints (which uses xfrm interfaces for
route based VPN), AWS Site to Site VPN , and of course OpenBSD, using
this method.
For route based VPN you need a sec interface (man 4 sec).
An /etc/iked.conf entry uisng keys looks like this:
ikev2 "vpn.example.com" active esp \
from any to any \
peer vpna.sexample.com \
srcid vpnb.example.com \
dstid vpna.example.com \
rsa \
iface sec0
With PSK:
ikev2 "aws_t2" active esp \
from any to any \
peer vpn4.example.com \
psk "deadbeafdeadbeaf" \
iface sec4
If working it will establish SA's, but never a Flow.
connect to Sophos VPN which uses an xfrm interface
On 22/10/2025 12:23 pm, [email protected] wrote:
xfrm interface is a virtual interface, strongswan no longer uses VTI
interface, now it uses xrfm (I typo'd it as xrfm before) . I also
have a static route in table 220, used by strongswan.
The latest version of OpenWRT doesn't have uci, or luci, module for
swanctl, but the OpenWRT website states older configuration methods
are deprecated and you should use swanctl.conf with swanctl.
Like I said before, its like I'm experiencing a never ending bad acid
trip. I'm obviously a glutton for punishment.
It is frustrating because I can see the packets arriving across the
tunnel.coming out the xfrm (transform) interface.
I'll refrain from further posting about this on misc@ , unless I have
something useful to post.
Thanks
