CVSROOT: /cvs
Module name: src
Changes by: d...@cvs.openbsd.org 2023/08/06 22:10:08
Modified files:
sbin/ipsecctl : ike.c ipsecctl.h parse.y pfkdump.c
Log message:
add support route based ipsec vpn negotiation with sec(4) via isakmpd.
this adds "interface secX" to the grammar that you can use instead
of specifying tunnel/transport modes and traffic selectors.
if you have config like "ike interface sec0 local ... peer ...",
ipsecctl will generate the right config for isakmpd to negotiate
esp tunnels for all traffic between 0.0.0.0/0 and 0.0.0.0/0. however,
this also specifies that they should be set up as interface SAs in
the kernel for use with sec(4).
this supports route-based instead of policy based ipsec encapsulation,
and allows us to more easily operate with other vendors and products
that also offer route-based vpns with opinions about the negotiated
policy that doesnt fit with the SPD.
support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@
