# ipsec "Road Warrior" setup question



## jmj75 (Aug 25, 2012)

I have set up an ipsec configuration which is compatible with iOS and OS X's built-in Cisco ipsec clients, i.e. in a "Road warrior" type setup.  The configuration works and runs on my router with the following topology:


```
(INTERNET)-----( router )--->to lan
            vr1        bridge0
        a.a.a.a        b.b.b.b
```

The racoon daemon listens on my public ip, a.a.a.a and b.b.b.b is the lan-side address for my lan subnet (e.g., 10.0.1.0/24).  The address pool for ipsec clients starts at  172.0.1.10 with a pool size of 10.    I also defined "split_network include 10.0.1.0/24;" in racoon.conf and defined appropriate firewall rules in pf.conf to pass ipsec protocols.  My question is the following:

After establishing an ipsec session, say for the client 172.16.1.10, then I must add the following rule to my pf rules in order for the client to reach my b.b.b.0/24 subnet,


```
pass in on vr1 from 172.16.1.10 to 10.0.1.0/24
```

I am uneasy with opening traffic on my wan port for 172.16.1.0/24 (I normally block reserved addresses on vr1).  Is there a way to attach the tunneled 172.16.1.0/24 traffic to a separate interface, i.e. separate the tunneled traffic from the vr1 (wan) port and still retaining the "road warrior" capability?  I am aware that on a site-to-sitet ipsec tunnel can be made with a gif0 interface on *both ends*, but it's not clear how to implement a gif0 tunnel on my router's end, so that it can communicate with the cisco client software on the client's end (which seems to open a utun0 interface on the client).

Regards,
-jmj75


----------

