CVSROOT: /cvs
Module name: src
Changes by: d...@cvs.openbsd.org 2023/08/06 22:01:30
Modified files:
sbin/isakmpd : ipsec.c pf_key_v2.c sa.h
Log message:
support configuring interface SAs for route-based ipsec vpns.
add "Interface NUMBER" to the config parser to specify that once
SAs have been negotiated with a peer, install the SAs with the
sadb_x_iface extension set up, but skip installing the flows/SPD
entries.
this allows for the negotiation of multiple esp tunnels covering
all traffic between 0.0.0.0/0 to 0.0.0.0/0, and then being able to
do something useful with them using the routing table and sec(4)
interfaces instead of having SPD entries fight over those packets
in the kernel.
this in turn allows interoperation with other ipsec/vpn solutions
that require the negotiation of such tunnels.
support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@
