start adding support for route-based ipsec vpns.
rather than use ipsec flows (aka, entries in the ipsec security
policy database) to decide which traffic should be encapsulated in
ipsec and sent to a peer, this tweaks security associations (SAs)
so they can refer to a tunnel interface. when traffic is routed
over that tunnel interface, an ipsec SA is looked up and used to
encapsulate traffic before being sent to the peer on the SA. When
traffic is received from a peer using an interface SA, the specified
interface is looked up and the packet is handed to it so it looks
like packets come out of the tunnel.
to support this, SAs get a TDBF_IFACE flag and iface and iface_dir
fields. When TDBF_IFACE is set the iface and dir fields are
considered valid, and the tdb/SA should be used with the tunnel
interface instead of the SPD.
support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@
projects / openbsd / commit