thank you for the replies. i am told the opnsense fork of pfsense runs a hardened version of freebsd rather than openbsd.
i think their support for ike v2 is relatively recent. i will try this again to see if i can get the routing correct. On Wed, Sep 12, 2018 at 4:43 AM Tobias Brunner <tob...@strongswan.org> wrote: > Hi Andrew, > > > On BSD, a route based VPN has to be used, because it has no policy based > implementation (as far as I know). > > At least on FreeBSD that's not the case, i.e. it has policies just like > other IPsec implementations (including socket policies to whitelist the > IKE sockets). But for virtual IPs a TUN device and routes to it are > necessary (so the source IP matches the policies, not to replace them). > But this won't work if the remote TS includes the IKE peer as that would > route IKE packets incorrectly. While this is mainly an issue if virtual > IPs are used, that exception is currently not handled that specifically. > However, the failure to install a route is not fatal (the result is > basically ignored) so if the routing is already setup properly this > shouldn't really be an issue as long as no virtual IPs are used. > > Regards, > Tobias >
