Re: Route based IPsec

Hi Claudio & David,

Wireguard can work behind NAT. In that case maybe the solution is wireguard + BGP.

Infact, I already tried this and wanted to use BGP multipath but failed and sent it to the misc list in a separate mail.

(I wrote gre + bgp in the related mail, my aim was not to prolong my work with the wireguard config.)
________________________________
From: owner-misc@openbsd.org <owner-misc@openbsd.org> on behalf of Claudio Jeker <cjeker@diehard.n-r-g.com>
Sent: Wednesday, May 31, 2023 12:09
To: David Gwynne <david@gwynne.id.au>
Cc: Misc <misc@openbsd.org>
Subject: Re: Route based IPsec

On Wed, May 31, 2023 at 06:39:27PM +1000, David Gwynne wrote:
>
>
> > On 31 May 2023, at 18:33, Claudio Jeker <cjeker@diehard.n-r-g.com> wrote:
> >
> > On Wed, May 31, 2023 at 08:35:45AM +1000, David Gwynne wrote:
> >>
> >>
> >>> On 27 May 2023, at 21:40, Stuart Henderson <stu.lists@spacehopper.org> wrote:
> >>>
> >>> On 2023-05-27, Valdrin MUJA <valdrin_muja@outlook.com> wrote:
> >>>> Does OpenBSD have routed based IPsec support?
> >>>
> >>> Not yet.
> >>
> >> while you wait, it might be possible to configure a gif tunnel protected
> >> by ipsec transport mode.
> >>
> >
> > The annoying bit with gif tunnels in transport mode is the need for static
> > IPs on both sides of the tunnel. I ended up tunneling gif in tunnel mode
> > because of that.
>
> that's an annoying thing about gif, even without ipsec in the mix.

Indeed. Both gif and gre share this issue.

> should i make it possible to specify an interface as the source of local
> addresses on tunnels?

Not sure if it is worth the effort since the other end of the tunnel needs
to adjust the tunnel remote address as well. Neither gif nor gre support
authentication. Using wg(4) for that is an option but because of dynamic
routing I ended up packing a gif tunnel into wg(4) (so I'm back to square
one).

--
:wq Claudio