Routed IPsec allows IPsec tunnels to be configured and used like interfaces, allowing routing and dynamic routing protocols to be used. It utilizes Virtual Tunnel Interfaces (VTI) in FreeBSD. Benefits include more natural traffic flow respecting routing, no need for extensive policy definitions, and integration with other routed IPsec implementations. It is available in pfSense snapshots and 2.4.4, with some limitations around reply-to and NAT. Configuration involves choosing a transit network, setting up Phase 1 and 2 with the VTI mode, assigning the ipsec interface, and setting routing or firewall rules. Examples of static routing, dynamic routing with FRR, and policy-based routing were provided.
Linux offers an extensive selection of programmable and configurable networking components from traditional bridges, encryption, to container optimized layer 2/3 devices, link aggregation, tunneling, several classification and filtering languages all the way up to full SDN components. This talk will provide an overview of many Linux networking components covering the Linux bridge, IPVLAN, MACVLAN, MACVTAP, Bonding/Team, OVS, classification & queueing, tunnel types, hidden routing tricks, IPSec, VTI, VRF and many others.
Policy Based Routing (PBR) on MikrotikGLC Networks
Webinar topic: Policy Based Routing (PBR) on Mikrotik
Presenter: Achmad Mardiansyah
In this webinar series, We are discussing Policy Based Routing (PBR) on Mikrotik
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
Recording is available on Youtube
https://youtu.be/dzbsVZaaaAk
Mikrotik IP Settings For Performance and SecurityGLC Networks
Webinar topic: Mikrotik IP Settings For Performance and Security
Presenter: Achmad Mardiansyah
In this webinar series, we discussed about Mikrotik IP Settings For Performance and Security
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord
Recording available on Youtube
https://youtu.be/9ldLm969rxo
MUM Melbourne : Build Enterprise Wireless with CAPsMANGLC Networks
MUM Melbourne May 2018 topic: Build enterprise wireless with CAPsMAN
Presenter: Achmad Mardiansyah
In this MUM series, We are discussing Build enterprise wireless with CAPsMAN
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
Linux offers an extensive selection of programmable and configurable networking components from traditional bridges, encryption, to container optimized layer 2/3 devices, link aggregation, tunneling, several classification and filtering languages all the way up to full SDN components. This talk will provide an overview of many Linux networking components covering the Linux bridge, IPVLAN, MACVLAN, MACVTAP, Bonding/Team, OVS, classification & queueing, tunnel types, hidden routing tricks, IPSec, VTI, VRF and many others.
Policy Based Routing (PBR) on MikrotikGLC Networks
Webinar topic: Policy Based Routing (PBR) on Mikrotik
Presenter: Achmad Mardiansyah
In this webinar series, We are discussing Policy Based Routing (PBR) on Mikrotik
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
Recording is available on Youtube
https://youtu.be/dzbsVZaaaAk
Mikrotik IP Settings For Performance and SecurityGLC Networks
Webinar topic: Mikrotik IP Settings For Performance and Security
Presenter: Achmad Mardiansyah
In this webinar series, we discussed about Mikrotik IP Settings For Performance and Security
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord
Recording available on Youtube
https://youtu.be/9ldLm969rxo
MUM Melbourne : Build Enterprise Wireless with CAPsMANGLC Networks
MUM Melbourne May 2018 topic: Build enterprise wireless with CAPsMAN
Presenter: Achmad Mardiansyah
In this MUM series, We are discussing Build enterprise wireless with CAPsMAN
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
This presentation features a walk through the Linux kernel networking stack for users and developers. It will cover insights into both, existing essential networking features and recent developments and will show how to use them properly. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as networking namespaces, segmentation offloading, TCP small queues, and low latency polling and will discuss how to configure them.
Simple and Scalable Microservices: Using NATS with Docker Compose and Swarm NATS
NATS is a high-performance messaging system optimized for simplicity, reliability and low latency which can be a lightweight solution for the internal communication of your distributed system. In this talk, we will cover its core feature set as well as how to develop and assemble NATS-based microservices using the latest Docker tooling such as Compose and Swarm mode.
You can learn more about NATS at http://www.nats.io
Agenda:
In this session, Shmulik Ladkani discusses the kernel's net_device abstraction, its interfaces, and how net-devices interact with the network stack. The talk covers many of the software network devices that exist in the Linux kernel, the functionalities they provide and some interesting use cases.
Speaker:
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Webinar topic: Mikrotik Fastpath vs Fasttrack
Presenter: Achmad Mardiansyah
In this webinar series, We are discussing Mikrotik Fastpath vs Fasttrack
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord
Recording available on Youtube
https://youtu.be/et6MwYY0dvo
In this webinar, we will discuss about the basic concept of routing, try to understand how the router work, how the routing table is used to forward packets, and how to implement them with mikrotik router. we review some prior knowledge before. after attending this webinar, we expect you understand how the packet is forwarded on router.
In this talk Jiří Pírko discusses the design and evolution of the VLAN implementation in Linux, the challenges and pitfalls as well as hardware acceleration and alternative implementations.
Jiří Pírko is a major contributor to kernel networking and the creator of libteam for link aggregation.
Tutorial: Using GoBGP as an IXP connecting routerShu Sugimoto
- Show you how GoBGP can be used as a software router in conjunction with quagga
- (Tutorial) Walk through the setup of IXP connecting router using GoBGP
TRex is an open source, low cost, stateful traffic generator fuelled by DPDK. It generates L4-7 traffic based on pre-processing and a smart replay of real traffic templates. TRex amplifies both client and server side traffic and can scale to 200Gb/sec with one UCS.
In this session, we’ll review how previous efforts, including Netfilter, Berkley Packet Filter (BPF), Open vSwitch (OVS), and TC, approached the problem of extensibility. We’ll show you an open source solution available within the Red Hat Enterprise Linux kernel, where extending and merging some of the existing concepts leads to an extensible framework that satisfies the networking needs of datacenter and cloud virtualization.
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
This presentation features a walk through the Linux kernel networking stack for users and developers. It will cover insights into both, existing essential networking features and recent developments and will show how to use them properly. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as networking namespaces, segmentation offloading, TCP small queues, and low latency polling and will discuss how to configure them.
Simple and Scalable Microservices: Using NATS with Docker Compose and Swarm NATS
NATS is a high-performance messaging system optimized for simplicity, reliability and low latency which can be a lightweight solution for the internal communication of your distributed system. In this talk, we will cover its core feature set as well as how to develop and assemble NATS-based microservices using the latest Docker tooling such as Compose and Swarm mode.
You can learn more about NATS at http://www.nats.io
Agenda:
In this session, Shmulik Ladkani discusses the kernel's net_device abstraction, its interfaces, and how net-devices interact with the network stack. The talk covers many of the software network devices that exist in the Linux kernel, the functionalities they provide and some interesting use cases.
Speaker:
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Webinar topic: Mikrotik Fastpath vs Fasttrack
Presenter: Achmad Mardiansyah
In this webinar series, We are discussing Mikrotik Fastpath vs Fasttrack
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord
Recording available on Youtube
https://youtu.be/et6MwYY0dvo
In this webinar, we will discuss about the basic concept of routing, try to understand how the router work, how the routing table is used to forward packets, and how to implement them with mikrotik router. we review some prior knowledge before. after attending this webinar, we expect you understand how the packet is forwarded on router.
In this talk Jiří Pírko discusses the design and evolution of the VLAN implementation in Linux, the challenges and pitfalls as well as hardware acceleration and alternative implementations.
Jiří Pírko is a major contributor to kernel networking and the creator of libteam for link aggregation.
Tutorial: Using GoBGP as an IXP connecting routerShu Sugimoto
- Show you how GoBGP can be used as a software router in conjunction with quagga
- (Tutorial) Walk through the setup of IXP connecting router using GoBGP
TRex is an open source, low cost, stateful traffic generator fuelled by DPDK. It generates L4-7 traffic based on pre-processing and a smart replay of real traffic templates. TRex amplifies both client and server side traffic and can scale to 200Gb/sec with one UCS.
In this session, we’ll review how previous efforts, including Netfilter, Berkley Packet Filter (BPF), Open vSwitch (OVS), and TC, approached the problem of extensibility. We’ll show you an open source solution available within the Red Hat Enterprise Linux kernel, where extending and merging some of the existing concepts leads to an extensible framework that satisfies the networking needs of datacenter and cloud virtualization.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...QADay
Lviv Direction QADay 2024 (Professional Development)
КАТЕРИНА АБЗЯТОВА
«Ефективне планування тестування ключові аспекти та практичні поради»
https://linktr.ee/qadayua
UiPath New York Community Day in-person eventDianaGray10
UiPath Community Day is a unique gathering designed to foster collaboration, learning, and networking with automation enthusiasts. Whether you're an automation developer, business analyst, IT professional, solution architect, CoE lead, practitioner or a student/educator excited about the prospects of artificial intelligence and automation technologies in the United States, then the UiPath Community Day is definitely the place you want to be.
Join UiPath leaders, experts from the industry, and the amazing community members and let's connect over expert sessions, demos and use cases around AI in automation as we highlight our technology with a special speaker on Document Understanding.
📌Agenda
3:00 PM Registrations
3:30 PM Welcome note and Introductions | Corina Gheonea (Senior Director of Global UiPath Community)
4:00 PM Introduction to Document Understanding
How to build and deploy Document Understanding process
Where would Document Understanding be used.
Demo
Q&A
4:45 PM Customer/Partner showcase
Accelirate
Intro to Accelirate and history with UiPath
Why are we excited about the new AI features of UiPath?
Customer highlight
a. Document Understanding – BJs Case Study
b. Document Understanding + generative AI
5.30 PM Networking
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
I'm excited to share my latest predictions on how AI, robotics, and other technological advancements will reshape industries in the coming years. The slides explore the exponential growth of computational power, the future of AI and robotics, and their profound impact on various sectors.
Why this matters:
The success of new products and investments hinges on precise timing and foresight into emerging categories. This deck equips founders, VCs, and industry leaders with insights to align future products with upcoming tech developments. These insights enhance the ability to forecast industry trends, improve market timing, and predict competitor actions.
Highlights:
▪ Exponential Growth in Compute: How $1000 will soon buy the computational power of a human brain
▪ Scaling of AI Models: The journey towards beyond human-scale models and intelligent edge computing
▪ Transformative Technologies: From advanced robotics and brain interfaces to automated healthcare and beyond
▪ Future of Work: How automation will redefine jobs and economic structures by 2040
With so many predictions presented here, some will inevitably be wrong or mistimed, especially with potential external disruptions. For instance, a conflict in Taiwan could severely impact global semiconductor production, affecting compute costs and related advancements. Nonetheless, these slides are intended to guide intuition on future technological trends.
2. About this Hangout
● Netgate News
● What is routed IPsec?
● Why use routed IPsec?
● Limitations
● Availability
● Configuring Routed IPsec
● Static Routing Example
● Dynamic Routing Example
3. Netgate News
● TNSR is now available on AWS!
– https://www.netgate.com/blog/the-behemoth-router-is-here.html
● pfSense 2.4.3-p1 and 2.3.5-p2 released!
– https://www.netgate.com/blog/pfsense-2-4-3-release-p1-and-2-3-5-release-p2-now-available.html
– OpenSSL security updates and other security fixes, plus other misc bug fixes
● pfSense 2.4.4 is in development
– Latest variants of Meltdown/Spectre, plus Lazy FP State Restore are addressed in snapshots
●
https://www.netgate.com/blog/pfsense-software-and-cve-2018-8897.html
– FreeBSD 11.2 base, Routed IPsec, PHP 7.2, hybrid ISO/Memstick installer image
● New forum at https://forum.netgate.com
– https://www.netgate.com/blog/introducing-the-netgate-forum.html
– Uses NodeBB, GDPR compliant, Much better overall browser and mobile experience
4. Netgate News
● Documentation Wiki converted to Sphinx
– https://www.netgate.com/docs/pfsense/
– https://www.netgate.com/blog/moving-the-pfsense-documentation-to-github.html
– Easier to take contributions via Github PRs
– No worries about wiki spam
– Contributions can be reviewed before they are accepted rather than cleaned up after
●
pfSense now available on to QNAP Virtualization Station users
– https://www.netgate.com/blog/pfsense-now-available-to-all-qnap-virtualization-station-users.html
●
Updates to our Privacy Policy
– https://www.netgate.com/blog/updates-to-our-privacy-policy.html
● Netgate was at BSDCan earlier this month
5. What is routed IPsec?
● Route-based IPsec, which is different from a traditional tunnel (policy-based)
● Uses Virtual Tunnel Interfaces (VTI)
● In FreeBSD since 11.1 via if_ipsec(4)
● Works with both IKEv1 and IKEv2
● Sets up an ipsecX interface at the OS level, rather than using enc0
● This ipsecX interface can be assigned and used like other interfaces
– Works similar to an assigned OpenVPN interface
● An automatic gateway entry is created when assigned
● Usable for routing, NAT, etc
● Can be used for static routes, policy routes, dynamic routing
● Completely optional, traditional policy-based IPsec tunnels still work
6. Why use routed IPsec?
● Traffic flows in a more natural, logical way, respecting traditional routing practices
– Doesn’t rely on kernel magic to catch and direct packets into IPsec!
● No need to define P2s for every network crossing IPsec, only routes!
● Works with other routed IPsec implementations (e.g. TNSR, AWS VPC)
● Can utilize gateways and gateway groups
– Useful for selectively sending traffic across IPsec (e.g. certain Internet destinations)
– Can be used for failover between multiple tunnels
● Dynamic routing (e.g. BGP) for managing routes or failover between multiple IPsec connections
– Multi-WAN, AWS VPC
● IPsec with large numbers of subnets
– No need for numerous P2s, only routes
● Sending traffic to/from the firewall itself across IPsec
– e.g. RADIUS, LDAP, syslog, SNMP, DHCP relay
7. Limitations/Downsides
●
Only optimal if both sides support routed IPsec. Otherwise, it may take some fussing with P2s on the side that
doesn't, and many of the benefits are moot.
– If you have ever used AWS VPC with policy-based IPsec, you may be familiar with this frustration!
●
Instead of managing P2 entries in IPsec, now you have to manage routing in some way (static routes, etc)
– Since this can be dynamic with BGP or OSPF, this is not necessarily a hindrance
●
Traffic shows up on enc0 and the ipsecX interface, must be passed on IPsec tab rules
– Still undergoing testing, but likely means that reply-to will not function
– This also leads to some issues with NAT: Notably, NAT to the interface address works OK, but 1:1 NAT or NAT to an alternate
address does not work.
● Though it behaves similarly, this is not the same as transport mode + GRE
– If the far side requires GRE, you will still need to use transport+GRE
●
New feature, though internal testing has gone well, it still needs testing/feedback from outside users for a variety
of scenarios
– Example: Feedback on interoperability with other routed IPsec platforms such as Juniper
8. Availability
● In snapshots now, will be in pfSense 2.4.4-RELEASE
● Release will be happening soon, in Q3
● Still a work in progress but core functionality is there
● Documentation will be posted in the next week or two
9. Configuring Routed IPsec
● Pick a transit network, typically a /30 network in an unusued subnet
– Similar to choosing a tunnel network for a shared key OpenVPN instance. For this example, we will use
10.8.222.0/30
● Determine other IPsec settings, similar to most other tunnels except for P2 local/remote
– Local IPsec Endpoint: 198.51.100.8
– Remote IPsec Endpoint: 203.0.113.5
– IKE Version: 2
– Auth: PSK, 01234567890123456789012345678901
– P1 Encryption/Hash/DH/Lifetime: AES 256, SHA 256, DH 14, 28800
– Local P2 Endpoint: 10.8.222.1/30 (from transit network above!)
– Remote P2 Endpoint: 10.8.222.2
– P2 Encryption/Hash/PFS/Lifetime: AES 128, SHA 256, PFS 14, 3600
10. Configuring Routed IPsec
● Create an IPsec Phase 1 entry as usual
● Create a Phase 2 entry under this Phase 1, set with…
– Set Mode to Routed (VTI)
– Set Local Network to Network
– Enter 10.8.222.1/30 for the Local Network Address
– Enter 10.8.222.2 for the Remote Network Address
– Add a useful Description
– Set the Proposal settings as needed
● Click Save, then click Apply Changes
11. Configuring Routed IPsec
● Navigate to Interfaces > Assignments
● Pick the new ipsecX interface from the Available Network Ports list
– The IPsec interface will have a number such as ipsec1000 which corresponds to the internal connection ID in
strongSwan, such as con1000. This also lines up with a request id (reqid) of 1000. They are numbered this way
to avoid automatic conflicts/collisions which can happen with lower numbers.
● Click + Add
● Note the new interface name, e.g. OPT1
● Navigate to Interfaces > [New Interface Name]
● Check Enable
● Give the interface a more suitable name using the Description field (e.g. VTI_FOO)
● Leave the IPv4 Configuration Type and IPv6 Configuration Type set to None
● Click Save, then click Apply Changes
12. Configuring Routed IPsec
● Navigate to Firewall > Rules, IPsec tab, add rules to pass
traffic
● At this point the interface is available for use like any other
interface
● A gateway is created automatically and can be used for static
routing, policy routing, etc.
– Visit System > Routing to check it
13. Static Routing Example
● Navigate to System > Routing, Static Routes tab
● Click + Add
● Enter the Destination Network, which is the network on the far side of the tunnel, e.g. 10.7.0.0/24
● Pick the Gateway for the IPsec VTI interface
● Enter a Description
● Click Save
● Repeat for any additional networks to route across the tunnel
● Click Apply Changes when done
● Navigate to Diagnostics > Routes and make sure the route shows up
● Make sure the far side has a similar route for networks on this firewall!
● Alternately, you can setup policy routing rules, such as a rule on LAN to nudge traffic across the tunnel
14. Dynamic Routing Example
●
Install a dynamic routing package that supports the protocol you want
– FRR: Preferred, supports BGP and OSPF
●
Refer to the December 2017 hangout on Dynamic Routing with FRR for more info
– Quagga: supports OSPF, can do manual BGP
– openbgpd: Avoid if possible, but can do BGP
●
Brief FRR Example:
– Install package, Services > FRR Global/Zebra
– Enable, enter a Master Password, set Router ID to LAN IP address, Save
– [BGP] tab, Enable, enter a Local AS for this side (e.g. 65501)
– Enter a list of Networks to Distribute for this side (e.g. LAN subnet, DMZ subnet, etc), save
– Neighbors tab, Add new, enter far side IPsec VTI address (e.g. 10.6.106.2), Remote AS (e.g. 65502), set
Update Source to VTI interface
– Save, then do other side, but swap the local/remote info
15. Policy Routing Example
● Internet provider style example
● Firewall > NAT, Outbound tab
– Switch to Hybrid Outbound NAT
– Add a rule to the top, to NAT on the VTI interface
●
Source is whatever local network(s) you want, e.g. LAN
●
Translated to the Interface address
– Save, Apply
● Firewall > Rules, LAN tab
– Add rules to pass to whatever destination should cross IPsec
●
On these rules, choose the VTI interface gateway
● Alternately, NAT traffic as it exits the remote side
– With static routes, if far side is pfSense it will be included in automatic outbound NAT
– Otherwise, use hybrid outbound NAT and add rule(s) to NAT the routed subnet(s)
16. Conclusion
● Questions?
● Ideas for hangout topics? Post on forum, Reddit, etc
● Hangout format changing soon, Fuze is discontinuing this
service!