ipfw and strongswan
vit at otcnet.ru
Fri Dec 4 07:22:41 UTC 2020
I use following settings to tcpdump some traffic:
On 03/12/2020 01:11, Christoph Harder wrote:
> thnak you for the fast reply.
> I just tested it but hadn't any luck.
> First I added if_enc_load="YES" to /boot/loader.conf and rebooted.
> Then I tried to capture traffic using the mask you've suggested (default) as well as the suggested masks from if_enc(4).
> In either case tcpdump -vv -i enc0 and tcpdump -vv -i enc0 icmp did not capture any traffic (I ensured that there was tcp and icmp traffic while testing).
> Do you have any idea what the reason might be, that tcpdump can't capture the traffic from enc0?
> Best regards,
> Am 01.12.2020 um 20:36 schrieb Michael Sierchio:
>> Exactly. Pay attention to the sysctl settings. See the man page. *man enc*
>> net.enc.out.ipsec_bpf_mask: 3
>> net.enc.out.ipsec_filter_mask: 1
>> net.enc.in.ipsec_bpf_mask: 1
>> net.enc.in.ipsec_filter_mask: 1
>> Those are my values. YMMV
>> On Tue, Dec 1, 2020 at 10:41 AM Victor Gamov <vit at otcnet.ru> wrote:
>>> Hi Christoph
>>> You can try to use ipfw on if_enc(4) interface to control ipsec traffic.
>>> On 01/12/2020 21:00, Christoph Harder wrote:
>>>> Hello everybody,
>>>> I'm using "FreeBSD 12.1-RELEASE-p10 GENERIC" with "strongswan-5.9.0" for
>>> VPN connections (tunnel mode) and ipfw as firewall.
>>>> Currently the box is configured as VPN endpoint, but is not the main
>>> gateway of the network (I'm not using it as a firewall or router for the
>>> network). The box is connected by a single interface to the central network
>>>> VPN with multiple locations is working great, but I would love to have a
>>> bit more control over the actual traffic that is send and received over
>>>> If the box had multiple networks connected to it on different interfaces
>>> I would be able to filter on the output interface, but that's not possible
>>> at the moment.
>>>> Is there an easy way to have one interface for each IPsec connection
>>> that can be used to filter traffic with ipfw?
>>>> Strongswan also has the option to mark traffic, for example the
>>> following swanctl configuration settings:
>>>> Is this working on FreeBSD with ipfw?
>>>> Strongswan also has the option to set the interface Id, but I believe
>>> this XFRM specific option probably wont work on FreeBSD.
>>>> connections.<conn>.if_id_in, connections.<conn>.if_id_out,
>>>> Is anybody else using Strongswan with ipfw and can help?
More information about the freebsd-questions