[strongSwan] opnsense: conflicts with IKE traffic

Andrew Russell wirefox33 at gmail.com
Wed Sep 12 16:49:30 CEST 2018


thank you for the replies.  i am told the opnsense fork of pfsense runs a
hardened version of freebsd rather than openbsd.

i think their support for ike v2 is relatively recent. i will try this
again to see if i can get the routing correct.

On Wed, Sep 12, 2018 at 4:43 AM Tobias Brunner <tobias at strongswan.org>
wrote:

> Hi Andrew,
>
> > On BSD, a route based VPN has to be used, because it has no policy based
> implementation (as far as I know).
>
> At least on FreeBSD that's not the case, i.e. it has policies just like
> other IPsec implementations (including socket policies to whitelist the
> IKE sockets). But for virtual IPs a TUN device and routes to it are
> necessary (so the source IP matches the policies, not to replace them).
> But this won't work if the remote TS includes the IKE peer as that would
> route IKE packets incorrectly.  While this is mainly an issue if virtual
> IPs are used, that exception is currently not handled that specifically.
>  However, the failure to install a route is not fatal (the result is
> basically ignored) so if the routing is already setup properly this
> shouldn't really be an issue as long as no virtual IPs are used.
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180912/435045ec/attachment.html>


More information about the Users mailing list