Re: ipsec tunnel between OpenBSD 7.6 server and openwrt (swanctl) client

Wed, 22 Oct 2025 12:35:33 -0700 

Oops, some funky key presses prematurely sent my previous email to the list.

Continuing.

An /etc/hostname.sec0 might look like this.

inet 169.254.64.93 255.255.255.252 169.254.64.94
up
description "vpn1 route based vpn"
!route add 2.2.2.2/32 169.254.64.94
Where 169.254.64.94 would be the IP address of an xfrm interface on the other side of the tunnel.
So when sending from 1.1.1.1 to 2.2.2.2, OpenBSD will route it to the far side of the tunnel. 

The other side needs to route 1.1.1.1 to 169.254.64.93

Cheers

Joe

On 23/10/2025 7:59 am, Joe Cook wrote:

Hi,

I haven't heard anyone mention the OpenBSD sec interface yet.
It was introduced to OpenBSD to allow route based VPN instead of policy based VPNs.
Route based VPN's have made my life easier and is definately something that made me love OpenBSD even more. I have connected to Sophos endpoints (which uses xfrm interfaces for route based VPN), AWS Site to Site VPN , and of course OpenBSD, using this method. 

For route based VPN you need a sec interface (man 4 sec).

An /etc/iked.conf entry uisng keys looks like this:

ikev2 "vpn.example.com" active esp \
        from any to any \
        peer vpna.sexample.com \
        srcid vpnb.example.com \
        dstid vpna.example.com \
        rsa \
        iface sec0

With PSK:

ikev2 "aws_t2" active esp \
        from any to any \
        peer vpn4.example.com \
        psk "deadbeafdeadbeaf" \
        iface sec4

If working it will establish SA's, but never a Flow.

connect to Sophos VPN which uses an xfrm interface

On 22/10/2025 12:23 pm, [email protected] wrote:
xfrm interface is a virtual interface, strongswan no longer uses VTI interface, now it uses xrfm (I typo'd it as xrfm before) .  I also have a static route in table 220, used by strongswan.
The latest version of OpenWRT doesn't have uci, or luci, module for swanctl, but the OpenWRT website states older configuration methods are deprecated and you should use swanctl.conf with swanctl.
Like I said before, its like I'm experiencing a never ending bad acid trip.  I'm obviously a glutton for punishment.
It is frustrating because I can see the packets arriving across the tunnel.coming out the xfrm (transform) interface.
I'll refrain from further posting about this on misc@ , unless I have something useful to post. 

Thanks

Reply via email to