OSPF over IPsec without GRE

Jonb · Dec 6, 2017, 5:07 PM

I am trying to replicate what you can do with a cisco which is an unnumbered IPSec tunnel with ospf to build the route. I have tried to do some reading and all materials says within GRE tunnel.

Is it possibe to do without GRE?

curtisgrice · Dec 21, 2017, 7:01 PM

Cisco has a few IPsec modes, the one your thinking of actual uses GRE in the background. This is said to be doable in pfsense butI could never get it to work. I heard somewhere they (pfSense) was changing how Strongswan (the IPSec package in pfSense) interfaces with the kernel and that would allow for dropping OSPF right on top of IPSec transport mode.

Its been a long time since I've looked at any of this so I could be WAY off the make as well.

DavidDPD · Dec 27, 2017, 1:17 AM

I have just spent a few weeks getting plan FreeBSD 11.1 to connect with Juniper SRX with "route-based" IPsec … using a routing protocol like OSPF to share dynamic routes across VPNs. From everything I have found, dynamic routing from FreeBSD (or pfSense) over an IPsec tunnel is only possible with the if_ipsec(4), which officially appeared in 11.1-RELEASE.

Just in the last few minutes, I was attempting to get pfSense to connect with my Juniper SRX's over a route based IPSec VPN, however pfSense 2.4.2 does not yet have the ability to configure this type of IPsec.

So far, from my understanding, without if_ipsec(4), IPsec on FreeBSD done by the Security Policy Database (SPD) , which are manipulated with SETKEY(8), and can be view in Status->IPsec->SPDs in pfSense.

So in policy based IPsec, from what I can tell, one would have to manually create the SPD associations on each end point, as well as adding static routes ... especially if these are routers, sharing dynamic routing information through the network.

I may open a new topic as well, as I would like to know if pfSense will add configuration for route-based if_ipsec(4), and what the time line is for that.

EDIT: No ETA : https://forum.pfsense.org/index.php?topic=97231.0

Jonb · Jun 13, 2018, 2:51 PM

Now that freebsd supports this function could any of the devs update this thread with plans on updates the GUI and code base to support the new kernel function.

jimp · Jun 13, 2018, 3:48 PM

@jonb said in OSPF over IPsec without GRE:

Now that freebsd supports this function could any of the devs update this thread with plans on updates the GUI and code base to support the new kernel function.

Support for routed IPsec/VTI is in 2.4.4 snapshots. It's still being tested but it's fairly solid at the moment with no major caveats that I'm aware of.

https://redmine.pfsense.org/issues/8544

Jonb · Jun 13, 2018, 4:01 PM

Sweet thanks Jimp I am sure I speak for a few people that we look forward to this support and appreciate the efforts of yourself and your team.