ipfw and strongswan

[Victor Gamov]

Hi Christoph

You can try to use ipfw on if_enc(4) interface to control ipsec traffic.



On 01/12/2020 21:00, Christoph Harder wrote:
> Hello everybody,
> 
> I'm using "FreeBSD 12.1-RELEASE-p10 GENERIC" with "strongswan-5.9.0" for VPN connections (tunnel mode) and ipfw as firewall.
> Currently the box is configured as VPN endpoint, but is not the main gateway of the network (I'm not using it as a firewall or router for the network). The box is connected by a single interface to the central network switch.
> 
> VPN with multiple locations is working great, but I would love to have a bit more control over the actual traffic that is send and received over IPsec.
> If the box had multiple networks connected to it on different interfaces I would be able to filter on the output interface, but that's not possible at the moment.
> 
> Is there an easy way to have one interface for each IPsec connection that can be used to filter traffic with ipfw?
> 
> Strongswan also has the option to mark traffic, for example the following swanctl configuration settings:
> connections.<conn>.children.<child>.mark_in, connections.<conn>.children.<child>.mark_in_sa, connections.<conn>.children.<child>.mark_out, connections.<conn>.children.<child>.set_mark_in, connections.<conn>.children.<child>.set_mark_out
> Is this working on FreeBSD with ipfw?
> 
> Strongswan also has the option to set the interface Id, but I believe this XFRM specific option probably wont work on FreeBSD.
> connections.<conn>.if_id_in, connections.<conn>.if_id_out, connections.<conn>.children.<child>.if_id_in, connections.<conn>.children.<child>.if_id_out
> 
> Is anybody else using Strongswan with ipfw and can help?


-- 
CU,
Victor Gamov