[CFT] sec(4) for Route Based IPSec VPNs
by from OpenBSD Journal on (#6CPQ3)
A new tool for creating flexible, route based site to site virtual private networks (site-to-site VPNs) is entering its call for testing phase on OpenBSD-current.
In a message to the tech@ mailing list on July 4th, 2023, David Gwynne (dlg@) presented a diff that adds a new virtual network interface dubbed sec(4). The message reads,
Subject: sec(4): route based ipsec vpnsFrom: David Gwynne <david () gwynne ! id ! au>Date: 2023-07-04 5:26:30tl;dr: this adds sec(4) p2p ip interfaces. Traffic in and out of theseinterfaces is protected by IPsec security associations (SAs), butthere's no flows (security policy database (SPD) entries) associatedwith these SAs. The policy for using the sec(4) interfaces and theirSAs is route-based instead.Longer version:I was going to use "make ipsec great again^W" as the subject line,but thought better of it. The reason I started on this was to betterinteroperate with "site-to-site" vpns, in particular AWS Site-to-SiteVPNs, and the Auto-Discovery VPN (ADVPN) stuff on fortinet fortigateappliances. Both of these negotiate IPsec tunnels that can carry anytraffic at the IPsec level, but use BGP and routes to direct trafficinto those tunnels.