Hi Nemir! Short answer: Yes, it works.
Please forget all the other answers... I was reading them with some amusement - port knocking, tunnels, special scripts, "no" :-). Nobody seems to have a clue about our IPsec stack. It is a standard feature that should just work fine with isakmpd(8). Instead of creating all flows from isakmpd, you can load flows in ipsec.conf and let isakmpd wait in passive mode. Passive mode lets isakmpd wait for connections from remote peers _or_ for messages from the kernel. The kernel will send a PFKEYv2 message to isakmpd if it sees traffic for a flow that does not have an active SA; kindly asking it to negotiate one. See also: http://www.allard.nu/openbsd/maillist/archive/200608/1331.html A possible, but untested, ipsec.conf configuration could be: ---snip--- flow esp from 192.168.10.0/24 to 192.168.20.0/24 peer 10.0.0.2 type require ike passive esp from 192.168.10.0/24 to 192.168.20.0/24 peer 10.0.0.2 ---snap-- The "flow esp" line is loaded into the kernel but doesn't have an SA associated. Note that you could also use "acquire" instead of "require" to allow unencrypted traffic before the SA is present (who would do that?). The "ike passive esp" is loaded into isakmpd(8). Note that iked(8) doesn't support this type of configuration yet. It does understand the acquire/require messages from the kernel but currently requires to have an active flow from an initial IKEv2 handshake. It is on our TODO list ;-). Regards, reyk On Wed, Apr 13, 2011 at 09:19:19AM +0000, nemir nemirius wrote: > One of my clients is a major bank. We need to exchange data a few > times a day at different intervals, and they're insisting that we > initiate the VPN on demand with relevent traffic. > > It works from their end. Tunnel is down, they send a ping, first > packet is dropped as the tunnel is brought up, subsequent traffic > reaches its destination. > > What I can't see in the man pages, guides, help files is how to get > an OpenBSD firewall to do the same thing. > > I still use isakmpd as I have created several custom transform > configurations that I've not had time to figure out how to migrate > over. And because I am familiar with it. > > I use OpenBSD 4.8, and will be upgrading as soon as the discs > arrive. > > Is it possible? Can you who me how? > > Thanks! > > Nemir
