ipfw and strongswan
Michael Sierchio
kudzu at tenebras.com
Tue Dec 1 19:37:32 UTC 2020
Exactly. Pay attention to the sysctl settings. See the man page. *man enc*
net.enc.out.ipsec_bpf_mask: 3
net.enc.out.ipsec_filter_mask: 1
net.enc.in.ipsec_bpf_mask: 1
net.enc.in.ipsec_filter_mask: 1
Those are my values. YMMV
On Tue, Dec 1, 2020 at 10:41 AM Victor Gamov <vit at otcnet.ru> wrote:
> Hi Christoph
>
> You can try to use ipfw on if_enc(4) interface to control ipsec traffic.
>
>
>
> On 01/12/2020 21:00, Christoph Harder wrote:
> > Hello everybody,
> >
> > I'm using "FreeBSD 12.1-RELEASE-p10 GENERIC" with "strongswan-5.9.0" for
> VPN connections (tunnel mode) and ipfw as firewall.
> > Currently the box is configured as VPN endpoint, but is not the main
> gateway of the network (I'm not using it as a firewall or router for the
> network). The box is connected by a single interface to the central network
> switch.
> >
> > VPN with multiple locations is working great, but I would love to have a
> bit more control over the actual traffic that is send and received over
> IPsec.
> > If the box had multiple networks connected to it on different interfaces
> I would be able to filter on the output interface, but that's not possible
> at the moment.
> >
> > Is there an easy way to have one interface for each IPsec connection
> that can be used to filter traffic with ipfw?
> >
> > Strongswan also has the option to mark traffic, for example the
> following swanctl configuration settings:
> > connections.<conn>.children.<child>.mark_in,
> connections.<conn>.children.<child>.mark_in_sa,
> connections.<conn>.children.<child>.mark_out,
> connections.<conn>.children.<child>.set_mark_in,
> connections.<conn>.children.<child>.set_mark_out
> > Is this working on FreeBSD with ipfw?
> >
> > Strongswan also has the option to set the interface Id, but I believe
> this XFRM specific option probably wont work on FreeBSD.
> > connections.<conn>.if_id_in, connections.<conn>.if_id_out,
> connections.<conn>.children.<child>.if_id_in,
> connections.<conn>.children.<child>.if_id_out
> >
> > Is anybody else using Strongswan with ipfw and can help?
>
>
> --
> CU,
> Victor Gamov
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>
--
"Well," Brahmā said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent person requires only two thousand five hundred."
- The Mahābhārata
More information about the freebsd-questions
mailing list