Hi,
On 04/12/2020 18:55, Bryan Fields via 44Net wrote:
I take the position that it's ham radio, I don't mess with IPSEC, just run GRE directly on the connection.
This is perfectly fine and I'm not going to say you're wrong for doing it this way, but if you were building out something that could be used for emergency communication then it can pay to add authentication. You might also end up cornered into carrying potential personal information over your network (e.g. safety of life exemptions), and it'd be nice if you limited the scope of the interceptable traffic to only the RF portion of the network.
In HamBSD (and OpenBSD) configuring IPSec for a GRE tunnel requires:
1. copy the public keys from one host to the other
2. add one line to /etc/iked.conf with the IP addresses and the names for the public keys you copied in step 1
3. enable/start/restart iked
It's not magic, it's not mystery, it's actually pretty simple. That one line of config looks like:
ikev2 'mb7uar_rsa' passive esp from 44.190.21.233/32 to 44.190.21.234/32 local 44.190.21.1 srcid hambsd.org dstid mb7uar.hambsd.org rsa
This configures a tunnel that expects an inbound connection (MB7UAR has redundant internet connections, and is behind a NAT on both, so the other end is not fixed) with the first two IP addresses as the "internal" tunnel IP addresses. The third IP address is where to listen "outside" the tunnel. The srcid and dstid just match up the public keys to make sure you're authenticated.
Thanks, Iain.