ipfw and strongswan

Christoph Harder shadowomf at arcor.de
Wed Dec 2 22:11:46 UTC 2020 

Hello,

thnak you for the fast reply.
I just tested it but hadn't any luck.

First I added  if_enc_load="YES"  to  /boot/loader.conf  and rebooted.
Then I tried to capture traffic using the mask you've suggested (default) as well as the suggested masks from if_enc(4).
In either case  tcpdump -vv -i enc0  and  tcpdump -vv -i enc0 icmp  did not capture any traffic (I ensured that there was tcp and icmp traffic while testing).

Do you have any idea what the reason might be, that tcpdump can't capture the traffic from enc0?

Best regards,
Christoph


Am 01.12.2020 um 20:36 schrieb Michael Sierchio:
> Exactly.  Pay attention to the sysctl settings.  See the man page. *man enc*
> 
> net.enc.out.ipsec_bpf_mask: 3
> 
> net.enc.out.ipsec_filter_mask: 1
> 
> net.enc.in.ipsec_bpf_mask: 1
> 
> net.enc.in.ipsec_filter_mask: 1
> 
> 
> Those are my values.   YMMV
> 
> 
> 
> On Tue, Dec 1, 2020 at 10:41 AM Victor Gamov <vit at otcnet.ru> wrote:
> 
>> Hi Christoph
>>
>> You can try to use ipfw on if_enc(4) interface to control ipsec traffic.
>>
>>
>>
>> On 01/12/2020 21:00, Christoph Harder wrote:
>>> Hello everybody,
>>>
>>> I'm using "FreeBSD 12.1-RELEASE-p10 GENERIC" with "strongswan-5.9.0" for
>> VPN connections (tunnel mode) and ipfw as firewall.
>>> Currently the box is configured as VPN endpoint, but is not the main
>> gateway of the network (I'm not using it as a firewall or router for the
>> network). The box is connected by a single interface to the central network
>> switch.
>>>
>>> VPN with multiple locations is working great, but I would love to have a
>> bit more control over the actual traffic that is send and received over
>> IPsec.
>>> If the box had multiple networks connected to it on different interfaces
>> I would be able to filter on the output interface, but that's not possible
>> at the moment.
>>>
>>> Is there an easy way to have one interface for each IPsec connection
>> that can be used to filter traffic with ipfw?
>>>
>>> Strongswan also has the option to mark traffic, for example the
>> following swanctl configuration settings:
>>> connections.<conn>.children.<child>.mark_in,
>> connections.<conn>.children.<child>.mark_in_sa,
>> connections.<conn>.children.<child>.mark_out,
>> connections.<conn>.children.<child>.set_mark_in,
>> connections.<conn>.children.<child>.set_mark_out
>>> Is this working on FreeBSD with ipfw?
>>>
>>> Strongswan also has the option to set the interface Id, but I believe
>> this XFRM specific option probably wont work on FreeBSD.
>>> connections.<conn>.if_id_in, connections.<conn>.if_id_out,
>> connections.<conn>.children.<child>.if_id_in,
>> connections.<conn>.children.<child>.if_id_out
>>>
>>> Is anybody else using Strongswan with ipfw and can help?
>>
>>
>> --
>> CU,
>> Victor Gamov
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe at freebsd.org"
>>
> 
>

More information about the freebsd-questions mailing list