Netgate SG-1000 microFirewall

Author Topic: OSPF over IPsec without GRE  (Read 269 times)

0 Members and 1 Guest are viewing this topic.

Offline Jonb

  • Sr. Member
  • ****
  • Posts: 456
  • Karma: +0/-0
    • View Profile
    • Blue Sky Systems
OSPF over IPsec without GRE
« on: December 06, 2017, 11:07:11 am »
I am trying to replicate what you can do with a cisco which is an unnumbered IPSec tunnel with ospf to build the route. I have tried to do some reading and all materials says within GRE tunnel.

Is it possibe to do without GRE?
Hosted desktops and servers with support without complication.

Offline curtisgrice

  • Jr. Member
  • **
  • Posts: 82
  • Karma: +5/-1
    • View Profile
Re: OSPF over IPsec without GRE
« Reply #1 on: December 21, 2017, 01:01:40 pm »
Cisco has a few IPsec modes, the one your thinking of actual uses GRE in the background. This is said to be doable in pfsense butI could never get it to work. I heard somewhere they (pfSense) was changing how Strongswan (the IPSec package in pfSense) interfaces with the kernel and that would allow for dropping OSPF right on top of IPSec transport mode.

Its been a long time since I've looked at any of this so I could be WAY off the make as well.
Slow code? Sounds like a good reason to buy more hardware!

Offline DavidDPD

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: OSPF over IPsec without GRE
« Reply #2 on: December 26, 2017, 07:17:46 pm »
I have just spent a few weeks getting plan FreeBSD 11.1 to connect with Juniper SRX with "route-based" IPsec ... using a routing protocol like OSPF to share dynamic routes across VPNs.   From everything I have found, dynamic routing from FreeBSD (or pfSense) over an IPsec tunnel is only possible with the if_ipsec(4), which officially appeared in 11.1-RELEASE.

Just in the last few minutes, I was attempting to get pfSense to connect with my Juniper SRX's over a route based IPSec VPN, however pfSense 2.4.2 does not yet have the ability to configure this type of IPsec. 

So far, from my understanding, without if_ipsec(4), IPsec on FreeBSD done by the Security Policy Database (SPD) , which are manipulated with SETKEY(8), and can be view in  Status->IPsec->SPDs in pfSense.

So in policy based IPsec, from what I can tell, one would have to manually create the SPD associations on each end point, as well as adding static routes ... especially if these are routers, sharing dynamic routing information through the network.

I may open a new topic as well, as I would like to know if pfSense will add configuration for route-based if_ipsec(4), and what the time line is for that.