I have set up an ipsec configuration which is compatible with iOS and OS X's built-in Cisco ipsec clients, i.e. in a "Road warrior" type setup. The configuration works and runs on my router with the following topology:
The racoon daemon listens on my public ip, a.a.a.a and b.b.b.b is the lan-side address for my lan subnet (e.g., 10.0.1.0/24). The address pool for ipsec clients starts at 172.0.1.10 with a pool size of 10. I also defined "split_network include 10.0.1.0/24;" in racoon.conf and defined appropriate firewall rules in pf.conf to pass ipsec protocols. My question is the following:
After establishing an ipsec session, say for the client 172.16.1.10, then I must add the following rule to my pf rules in order for the client to reach my b.b.b.0/24 subnet,
I am uneasy with opening traffic on my wan port for 172.16.1.0/24 (I normally block reserved addresses on vr1). Is there a way to attach the tunneled 172.16.1.0/24 traffic to a separate interface, i.e. separate the tunneled traffic from the vr1 (wan) port and still retaining the "road warrior" capability? I am aware that on a site-to-sitet ipsec tunnel can be made with a gif0 interface on both ends, but it's not clear how to implement a gif0 tunnel on my router's end, so that it can communicate with the cisco client software on the client's end (which seems to open a utun0 interface on the client).
Regards,
-jmj75
Code:
(INTERNET)-----( router )--->to lan
vr1 bridge0
a.a.a.a b.b.b.b
The racoon daemon listens on my public ip, a.a.a.a and b.b.b.b is the lan-side address for my lan subnet (e.g., 10.0.1.0/24). The address pool for ipsec clients starts at 172.0.1.10 with a pool size of 10. I also defined "split_network include 10.0.1.0/24;" in racoon.conf and defined appropriate firewall rules in pf.conf to pass ipsec protocols. My question is the following:
After establishing an ipsec session, say for the client 172.16.1.10, then I must add the following rule to my pf rules in order for the client to reach my b.b.b.0/24 subnet,
Code:
pass in on vr1 from 172.16.1.10 to 10.0.1.0/24
I am uneasy with opening traffic on my wan port for 172.16.1.0/24 (I normally block reserved addresses on vr1). Is there a way to attach the tunneled 172.16.1.0/24 traffic to a separate interface, i.e. separate the tunneled traffic from the vr1 (wan) port and still retaining the "road warrior" capability? I am aware that on a site-to-sitet ipsec tunnel can be made with a gif0 interface on both ends, but it's not clear how to implement a gif0 tunnel on my router's end, so that it can communicate with the cisco client software on the client's end (which seems to open a utun0 interface on the client).
Regards,
-jmj75