On 2020-04-17 14:37, Florian Weber wrote:
Good afternoon,
is it possible to have only traffic which is routed through a specific
rdomain being encryped, i.e. have an enc interface in another rdomain
and only the whole traffic that runs in that rdomain gets encryped?
I have just recently implemented something which seem similar to what
you
need, albeit with isakmpd, not iked.
Perhaps my hostname.if will give some hints:
me@somebox:~ $ doas cat /etc/hostname.em1
rdomain 1
inet 192.0.2.2 255.255.255.252 NONE \
description "ISP"
!/sbin/route -T1 -n add default 192.0.2.1
!/sbin/route -T1 exec /sbin/isakmpd -K -c /etc/isakmpd/isakmpd.conf.1
!/sbin/route -T1 exec /sbin/ipsecctl -f /etc/ipsec.conf.1
!/sbin/route -T1 exec /usr/sbin/sshd -4 -f /etc/ssh/sshd_config.1
And yes, you will need enc1 for rdomain 1:
me@somebox:~ $ doas cat /etc/hostname.enc1
rdomain 1 up
Feel free to ask for more details (there's more to this setup, namely
gre
tunnel protected with transport-mode ipsec, OSPF etc.).
Hope this helps,
--
Before enlightenment - chop wood, draw water.
After enlightenment - chop wood, draw water.
Marko Cupać
https://www.mimar.rs/