IpSec Virtual Tunneling Interface

1) THANX! it is great!
2) is it available for 11.0-RELEASE?
3) is it available as a ready to compile kernel interface module?
4) is it correct strongswan setup:
config setup
charondebug=0

conn %default
ikelifetime=1d
lifetime=1h
margintime=1m
keyingtries=%forever
authby=psk
type=tunnel
keyexchange=ikev2
mobike=no
dpdaction=restart
auto=start
dpddelay=10s
esp=aes128-sha256-modp1024!
ike=aes128-sha256-modp1024!
forceencaps=no
fragmentation=yes
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0

conn TEST
left=local.example.org
leftid=fqdn:TEST
right=remote.example.org
rightid=fqdn:TEST
reqid=XXX
 
strongswan can do REQID/MARK-in/out - staff too and it's working on penguins (ip tunnel mode vti)

compiling with 11.0-RELEASE failed :(
 
The mailing list post is in freebsd-current. I would not expect it to work on stable unless backported. It looks experimental and the poster has been incrementally bringing the capability online.
 
If both endpoints support it you can already combine IPsec in transport mode with GRE to get a tunnel interface suitable for dynamic routing at the cost of a 4 byte GRE header. The performance improvements alone are very useful and getting rid of the GRE header is the icing on the cake.
 
GRE on FreeBSD and also in JunOS - very buggy thing
first of all MTU cannot be set to 1500
it's strange 1414 bytes maximum even if 'ifconfig' says 1500
 
Back
Top