[strongSwan] opnsense: conflicts with IKE traffic
Tobias Brunner
tobias at strongswan.org
Wed Sep 12 10:42:59 CEST 2018
Hi Andrew,
> On BSD, a route based VPN has to be used, because it has no policy based implementation (as far as I know).
At least on FreeBSD that's not the case, i.e. it has policies just like
other IPsec implementations (including socket policies to whitelist the
IKE sockets). But for virtual IPs a TUN device and routes to it are
necessary (so the source IP matches the policies, not to replace them).
But this won't work if the remote TS includes the IKE peer as that would
route IKE packets incorrectly. While this is mainly an issue if virtual
IPs are used, that exception is currently not handled that specifically.
However, the failure to install a route is not fatal (the result is
basically ignored) so if the routing is already setup properly this
shouldn't really be an issue as long as no virtual IPs are used.
Regards,
Tobias
More information about the Users
mailing list