Re: Route based IPsec
On 5/31/23 05:03, Valdrin MUJA wrote: > Hi Claudio & David, > > Wireguard can work behind NAT. In that case maybe the solution is wireguard + BGP. I've been using OSPF over wireguard for several years now. It works quite well. You just have to add `wgaip 224.0.0.0/8' to allow multicast over the link.
Re: Route based IPsec
Hi Claudio & David, Wireguard can work behind NAT. In that case maybe the solution is wireguard + BGP. Infact, I already tried this and wanted to use BGP multipath but failed and sent it to the misc list in a separate mail. (I wrote gre + bgp in the related mail, my aim was not to prolong my work with the wireguard config.) From: owner-m...@openbsd.org on behalf of Claudio Jeker Sent: Wednesday, May 31, 2023 12:09 To: David Gwynne Cc: Misc Subject: Re: Route based IPsec On Wed, May 31, 2023 at 06:39:27PM +1000, David Gwynne wrote: > > > > On 31 May 2023, at 18:33, Claudio Jeker wrote: > > > > On Wed, May 31, 2023 at 08:35:45AM +1000, David Gwynne wrote: > >> > >> > >>> On 27 May 2023, at 21:40, Stuart Henderson > >>> wrote: > >>> > >>> On 2023-05-27, Valdrin MUJA wrote: > >>>> Does OpenBSD have routed based IPsec support? > >>> > >>> Not yet. > >> > >> while you wait, it might be possible to configure a gif tunnel protected > >> by ipsec transport mode. > >> > > > > The annoying bit with gif tunnels in transport mode is the need for static > > IPs on both sides of the tunnel. I ended up tunneling gif in tunnel mode > > because of that. > > that's an annoying thing about gif, even without ipsec in the mix. Indeed. Both gif and gre share this issue. > should i make it possible to specify an interface as the source of local > addresses on tunnels? Not sure if it is worth the effort since the other end of the tunnel needs to adjust the tunnel remote address as well. Neither gif nor gre support authentication. Using wg(4) for that is an option but because of dynamic routing I ended up packing a gif tunnel into wg(4) (so I'm back to square one). -- :wq Claudio
Re: Route based IPsec
On Wed, May 31, 2023 at 06:39:27PM +1000, David Gwynne wrote: > > > > On 31 May 2023, at 18:33, Claudio Jeker wrote: > > > > On Wed, May 31, 2023 at 08:35:45AM +1000, David Gwynne wrote: > >> > >> > >>> On 27 May 2023, at 21:40, Stuart Henderson > >>> wrote: > >>> > >>> On 2023-05-27, Valdrin MUJA wrote: > Does OpenBSD have routed based IPsec support? > >>> > >>> Not yet. > >> > >> while you wait, it might be possible to configure a gif tunnel protected > >> by ipsec transport mode. > >> > > > > The annoying bit with gif tunnels in transport mode is the need for static > > IPs on both sides of the tunnel. I ended up tunneling gif in tunnel mode > > because of that. > > that's an annoying thing about gif, even without ipsec in the mix. Indeed. Both gif and gre share this issue. > should i make it possible to specify an interface as the source of local > addresses on tunnels? Not sure if it is worth the effort since the other end of the tunnel needs to adjust the tunnel remote address as well. Neither gif nor gre support authentication. Using wg(4) for that is an option but because of dynamic routing I ended up packing a gif tunnel into wg(4) (so I'm back to square one). -- :wq Claudio
Re: Route based IPsec
> On 31 May 2023, at 18:33, Claudio Jeker wrote: > > On Wed, May 31, 2023 at 08:35:45AM +1000, David Gwynne wrote: >> >> >>> On 27 May 2023, at 21:40, Stuart Henderson >>> wrote: >>> >>> On 2023-05-27, Valdrin MUJA wrote: Does OpenBSD have routed based IPsec support? >>> >>> Not yet. >> >> while you wait, it might be possible to configure a gif tunnel protected >> by ipsec transport mode. >> > > The annoying bit with gif tunnels in transport mode is the need for static > IPs on both sides of the tunnel. I ended up tunneling gif in tunnel mode > because of that. that's an annoying thing about gif, even without ipsec in the mix. should i make it possible to specify an interface as the source of local addresses on tunnels?
Re: Route based IPsec
On Wed, May 31, 2023 at 08:35:45AM +1000, David Gwynne wrote: > > > > On 27 May 2023, at 21:40, Stuart Henderson > > wrote: > > > > On 2023-05-27, Valdrin MUJA wrote: > >>Does OpenBSD have routed based IPsec support? > > > > Not yet. > > while you wait, it might be possible to configure a gif tunnel protected > by ipsec transport mode. > The annoying bit with gif tunnels in transport mode is the need for static IPs on both sides of the tunnel. I ended up tunneling gif in tunnel mode because of that. -- :wq Claudio
Re: Route based IPsec
Thanks David, I'll try it soon. From: owner-m...@openbsd.org on behalf of David Gwynne Sent: Wednesday, May 31, 2023 01:35 To: Stuart Henderson Cc: misc@openbsd.org Subject: Re: Route based IPsec > On 27 May 2023, at 21:40, Stuart Henderson wrote: > > On 2023-05-27, Valdrin MUJA wrote: >>Does OpenBSD have routed based IPsec support? > > Not yet. while you wait, it might be possible to configure a gif tunnel protected by ipsec transport mode. dlg
Re: Route based IPsec
> On 27 May 2023, at 21:40, Stuart Henderson wrote: > > On 2023-05-27, Valdrin MUJA wrote: >>Does OpenBSD have routed based IPsec support? > > Not yet. while you wait, it might be possible to configure a gif tunnel protected by ipsec transport mode. dlg
Re: Route based IPsec
On 27.5.2023. 9:24, Valdrin MUJA wrote: > Hello, > > I need Route based IPsec solution to set up between a firewall device and > my OpenBSD firewall. > However, I am a little confused about this: > I created more than one enc device, I did policy based routing with PF but no > results. I guess this is not the intended use of interfaces like enc[0,1]. > But since I am not sure, I would to ask: > Does OpenBSD have routed based IPsec support? Thanks in advance. > little off topic ...if other side is aws ipsec gateway or vmware nsx, then policy based ipsec is working quite nice, but yeah, route based ipsec would be awesome
Re: Route based IPsec
On 2023-05-27, Valdrin MUJA wrote: > Does OpenBSD have routed based IPsec support? Not yet.
Route based IPsec
Hello, I need Route based IPsec solution to set up between a firewall device and my OpenBSD firewall. However, I am a little confused about this: I created more than one enc device, I did policy based routing with PF but no results. I guess this is not the intended use of interfaces like enc[0,1]. But since I am not sure, I would to ask: Does OpenBSD have routed based IPsec support? Thanks in advance.