Author:
Source
A new tool for creating flexible, route based site to site virtual private networks (site-to-site VPNs) is entering its call for testing phase on OpenBSD-current.
In a message to the tech@ mailing list on July 4th, 2023, David Gwynne (dlg@) presented a diff that adds a new virtual network interface dubbed sec(4). The message reads,
Subject: sec(4): route based ipsec vpns From: David Gwynne <david () gwynne ! id ! au> Date: 2023-07-04 5:26:30 tl;dr: this adds sec(4) p2p ip interfaces. Traffic in and out of these interfaces is protected by IPsec security associations (SAs), but there's no flows (security policy database (SPD) entries) associated with these SAs. The policy for using the sec(4) interfaces and their SAs is route-based instead. Longer version: I was going to use "make ipsec great again^W" as the subject line, but thought better of it. The reason I started on this was to better interoperate with "site-to-site" vpns, in particular AWS Site-to-Site VPNs, and the Auto-Discovery VPN (ADVPN) stuff on fortinet fortigate appliances. Both of these negotiate IPsec tunnels that can carry any traffic at the IPsec level, but use BGP and routes to direct traffic into those tunnels.
