Chris Jones writes:
> A while back I attempted to setup a route-based VPN tunnel between a
> Fortigate firewall and an OpenBSD firewall with no success. I now have
> the need to get this to work and wondering if someone on the list can
> shed some light on the configuration. The end goal is to have a gif(4)
> interface run over IPSec so that I can use a dynamic routing protocol to
> route traffic to remote VPN networks.
As far as a OpenBSD is concerned when it talks to a
FortiGate/Netscreen both are using tunnel mode IPsec. The difference
is that FortiGate/Netscreen implement it in such away that a virtual
interface is created so that you can route over it.
To do the equivalent under OpenBSD you'd either :-
* implement an equivalent kind of IPsec network device in the
OpenBSD kernel (enc0 is starting point) and modify the IKE daemon
to know about it.
* Modify the IKE daemon so that when it negotiates tunnel mode then
on the OpenBSD side it add transport mode IPsec SAs and creates or
binds to a gif device.
If you are wondering why FortiGate/Netscreen do things the way they do
then it comes down to ease of configuration. For years under Cisco
IOS the way to do what you want a combination of transport mode IPsec
and GRE interface. Not particularly difficult to setup but still more
complicated that it needed to be if all you want is a VPN that you can
route over. So Cisco IOS now supports an IPsec interface so that you
can forget about transport mode and GRE (unless your talking to
*BSD/Linux) and just define your tunnel mode IPsec and you can get an
interface to route over.
