Route-based VPN with FreeBSD-11.1's IPsec VTI

I have managed to setup route-based IPsec VPN with FreeBSD-11.1 RC3, which had introduced ipsec virtual tunnel interface if_ipsec(4). Here is a record of my experiment just for your information.


Network configuration

NOTE: The following text shows bsd1 configurations only.

              --- [bsd1] ----- /// ----- [bsd2] ---                              

strongSwan setup


$ sudo pkg install strongswan


conn route-based
  left =
  right =
  leftsubnet =
  rightsubnet =

  authby = psk
  keyexchange = ikev2
  ike = aes256-sha1-modp1024
  ikelifetime = 28800

  mobike = no
  installpolicy = no
  reqid = 100

  esp = aes256-sha1
  lifetime = 3600

  auto = start

/usr/local/etc/ipsec.secrets %any : PSK "xxxxxxxxxxxxxxxx"


Just add ‘install_routes = no’.

charon {
  install_routes = no

  load_modular = yes
  plugins {
    include strongswan.d/charon/*.conf

include strongswan.d/*.conf

System setup

Manually configure IPsec interface and add routes

$ sudo ifconfig ipsec0 create reqid 100
$ sudo ifconfig ipsec0 inet tunnel up
$ sudo ifconfig ipsec0 inet
$ sudo route add
$ sudo route add

Start strongSwan and do some testing

$ sudo service strongswan onestart
$ sudo setkey -D
$ sudo setkey -DP

Make them all persistent

At the time of 11.1-RC3, I couldn’t find a way to fully setup ipsec interface only with the rc.conf. So I hesitantly use /etc/rc.local.

Maybe /etc/network.subr (clone_up?) will be updated to support it in near future.


create_args_ipsec0="reqid 100"
static_routes="remote1 remote2"


ifconfig ipsec0 inet tunnel