subject:"iked and rdomain"

Re: iked and rdomain

2020-04-21 Thread Marko Cupać


On 2020-04-17 14:37, Florian Weber wrote:

Good afternoon,

is it possible to have only traffic which is routed through a specific
rdomain being encryped, i.e. have an enc interface in another rdomain
and only the whole traffic that runs in that rdomain gets encryped?


I have just recently implemented something which seem similar to what 
you

need, albeit with isakmpd, not iked.

Perhaps my hostname.if will give some hints:

me@somebox:~ $ doas cat /etc/hostname.em1
rdomain 1
inet 192.0.2.2 255.255.255.252 NONE \
  description "ISP"
!/sbin/route -T1 -n add default 192.0.2.1
!/sbin/route -T1 exec /sbin/isakmpd -K -c /etc/isakmpd/isakmpd.conf.1
!/sbin/route -T1 exec /sbin/ipsecctl -f /etc/ipsec.conf.1
!/sbin/route -T1 exec /usr/sbin/sshd -4 -f /etc/ssh/sshd_config.1

And yes, you will need enc1 for rdomain 1:

me@somebox:~ $ doas cat /etc/hostname.enc1
rdomain 1 up

Feel free to ask for more details (there's more to this setup, namely 
gre

tunnel protected with transport-mode ipsec, OSPF etc.).

Hope this helps,
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: iked and rdomain

2020-04-17 Thread Tobias Heider

On Fri, Apr 17, 2020 at 02:37:57PM +0200, Florian Weber wrote:
> Good afternoon,
> 
> is it possible to have only traffic which is routed through a specific
> rdomain being encryped, i.e. have an enc interface in another rdomain and
> only the whole traffic that runs in that rdomain gets encryped?
> 
> Thank you for your help.
> 
> Best regards,
> 
> Florian
> 

Currently the only thing that should work out of the box is having iked
running in a non-default rdomain and then use ipsec only in this rdomain.

However, I have been working on better rdomain integration for
ipsec/iked lately and a working diff that should solve your problem
is currently waiting for testing over at tech@:
https://marc.info/?l=openbsd-tech&m=158677212723896&w=2

Feedback welcome ;)

iked and rdomain

2020-04-17 Thread Florian Weber


Good afternoon,

is it possible to have only traffic which is routed through a specific 
rdomain being encryped, i.e. have an enc interface in another rdomain 
and only the whole traffic that runs in that rdomain gets encryped?


Thank you for your help.

Best regards,

Florian

Re: iked and rdomain

Re: iked and rdomain

iked and rdomain

3 matches

Site Navigation

Mail list logo

Footer information