Hi Andrew, > On BSD, a route based VPN has to be used, because it has no policy based > implementation (as far as I know).
At least on FreeBSD that's not the case, i.e. it has policies just like other IPsec implementations (including socket policies to whitelist the IKE sockets). But for virtual IPs a TUN device and routes to it are necessary (so the source IP matches the policies, not to replace them). But this won't work if the remote TS includes the IKE peer as that would route IKE packets incorrectly. While this is mainly an issue if virtual IPs are used, that exception is currently not handled that specifically. However, the failure to install a route is not fatal (the result is basically ignored) so if the routing is already setup properly this shouldn't really be an issue as long as no virtual IPs are used. Regards, Tobias