On 2019-01-16, Daniel Ouellet <[email protected]> wrote: >> Maybe you misunderstood - I am just talking about a couple of lines in >> ipsec.conf to setup the bypass flow, but still use iked for the >> actual vpn connection. > > That's fair. May be I miss understood you, I thought that you > recommended to actually switch to use the ipsec one instead. > > The setup the bypass flow doesn't it actually need to be up and running > first, meaning setup both side of the vpn fro this?
Not afaik. I haven't tested setting it up before bringing up a VPN but I don't see any reason why it wouldn't work whether it's setup before or after. It just creates an entry in the kernel's flow database. You don't actually even need an ipsec.conf file, you could just do $ echo 'flow from 192.0.2.1/32 to 192.0.2.2/32 type bypass' | doas ipsecctl -vf - (though it's easier to have it configured automatically if you do have the file present, you then just set "ipsec=yes" in rc.conf.local). > As for other solutions, sure there is other choice, but for decades I > stick to the most simpler solution possible and call me stuburn, I do > everything with OpenBSD, sure some stuff may be best with something > else, but over time I got so comfortable with OpenBSd that I am welling > to have a bit weird setup at times, or less efficient as well, just use > more hardware when that happens. The problem with weird setups is that, by definition, you're running things which aren't particularly likely to be tested by others. Meaning that there's less chance of others finding bugs that might affect your configuration before you find them the hard way :-) > I have no clue how old you are and that's none of my business, but you > will see as time goes, you will too try to make your life simpler and > value the time you have more. (; Old enough to value simplicity :) > So, if there is a way to do the flow bypass without having the full > ikev1 running between the tunnels, I sure will give it a run. > > I didn't understood your statement as such sorry for my bad. No worries! Sorry for skipping the bits about rdomains, I have only run with them in very simple cases and 0 experience mixing with ipsec.
