Hi, On a rainy/snowy Sunday, I am trying to "renovate" an ancient but working Layer-2 Ethernet bridge over IPsec over wireless LAN setup that I had implemented using isakmpd (IKEv1) in OpenBSD 4.3 on WRAP boards from PC Engines, and bring it up to date with iked (IKEv2) using latest crypto transforms in OpenBSD -current on two APU2 boards :-)
With his OK in [1], Reyk briefly described of his test scenario(s): "tested with pair(4) ... ipsec on pair(4) ... routed ipsec on pair(4) ... (pair0 -> ipsec -> pair1 -> $ext_if) ... bridge/pair stp ..." Do I interpret this correctly as representing (at least) five different use cases that are separated by ellipses '...'? Can ipsec() use pair() directly without going through gif(4) and bridge(4) (with Link2 set), e.g. is only the last case above involving bridge()? (Probably unlikely, as pair(4) like vether(4) are always members of bridges according to ther man pages.) What is the difference between the 2nd and 3rd use cases, e.g. Layer-2 bridging vs. Layer-3 routing over IPsec tunnels? Would you mind to share maybe some (fragments of) configurations that illustrate those use cases? Thanks, Rolf [1] Re: pair(4) + pf(4): reset all state on "reinjected" packets http://permalink.gmane.org/gmane.os.openbsd.tech/45411