From owner-freebsd-questions@freebsd.org Fri Dec 4 07:22:41 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DADDC475C47 for ; Fri, 4 Dec 2020 07:22:41 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from mail.otcnet.ru (mail.otcnet.ru [194.190.78.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4CnPL85m2Gz3sdr for ; Fri, 4 Dec 2020 07:22:40 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from MacBook-Gamov.local (unknown [195.91.218.161]) by mail.otcnet.ru (Postfix) with ESMTPSA id 75BD3706A9 for ; Fri, 4 Dec 2020 10:22:32 +0300 (MSK) Subject: Re: ipfw and strongswan To: freebsd-questions@freebsd.org References: <8496ba13-127f-3d6e-029b-58ee49dccfdf@arcor.de> <57624d27-900b-d54d-ed33-b76fabedaf48@otcnet.ru> <8a2cad46-2120-4c85-4fe8-6a401f18e92e@arcor.de> From: Victor Gamov Organization: OstankinoTelecom Message-ID: Date: Fri, 4 Dec 2020 10:22:31 +0300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: <8a2cad46-2120-4c85-4fe8-6a401f18e92e@arcor.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4CnPL85m2Gz3sdr X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of vit@otcnet.ru designates 194.190.78.3 as permitted sender) smtp.mailfrom=vit@otcnet.ru X-Spamd-Result: default: False [-3.20 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[194.190.78.3:from]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+a:mail.otcnet.ru]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; SPAMHAUS_ZRD(0.00)[194.190.78.3:from:127.0.2.255]; ARC_NA(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_NA(0.00)[otcnet.ru]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:50822, ipnet:194.190.78.0/24, country:RU]; MAILMAN_DEST(0.00)[freebsd-questions] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2020 07:22:41 -0000 I use following settings to tcpdump some traffic: ===== net.enc.out.ipsec_bpf_mask: 1 net.enc.out.ipsec_filter_mask: 1 net.enc.in.ipsec_bpf_mask: 2 net.enc.in.ipsec_filter_mask: 1 ===== On 03/12/2020 01:11, Christoph Harder wrote: > Hello, > > thnak you for the fast reply. > I just tested it but hadn't any luck. > > First I added if_enc_load="YES" to /boot/loader.conf and rebooted. > Then I tried to capture traffic using the mask you've suggested (default) as well as the suggested masks from if_enc(4). > In either case tcpdump -vv -i enc0 and tcpdump -vv -i enc0 icmp did not capture any traffic (I ensured that there was tcp and icmp traffic while testing). > > Do you have any idea what the reason might be, that tcpdump can't capture the traffic from enc0? > > Best regards, > Christoph > > > Am 01.12.2020 um 20:36 schrieb Michael Sierchio: >> Exactly. Pay attention to the sysctl settings. See the man page. *man enc* >> >> net.enc.out.ipsec_bpf_mask: 3 >> >> net.enc.out.ipsec_filter_mask: 1 >> >> net.enc.in.ipsec_bpf_mask: 1 >> >> net.enc.in.ipsec_filter_mask: 1 >> >> >> Those are my values. YMMV >> >> >> >> On Tue, Dec 1, 2020 at 10:41 AM Victor Gamov wrote: >> >>> Hi Christoph >>> >>> You can try to use ipfw on if_enc(4) interface to control ipsec traffic. >>> >>> >>> >>> On 01/12/2020 21:00, Christoph Harder wrote: >>>> Hello everybody, >>>> >>>> I'm using "FreeBSD 12.1-RELEASE-p10 GENERIC" with "strongswan-5.9.0" for >>> VPN connections (tunnel mode) and ipfw as firewall. >>>> Currently the box is configured as VPN endpoint, but is not the main >>> gateway of the network (I'm not using it as a firewall or router for the >>> network). The box is connected by a single interface to the central network >>> switch. >>>> >>>> VPN with multiple locations is working great, but I would love to have a >>> bit more control over the actual traffic that is send and received over >>> IPsec. >>>> If the box had multiple networks connected to it on different interfaces >>> I would be able to filter on the output interface, but that's not possible >>> at the moment. >>>> >>>> Is there an easy way to have one interface for each IPsec connection >>> that can be used to filter traffic with ipfw? >>>> >>>> Strongswan also has the option to mark traffic, for example the >>> following swanctl configuration settings: >>>> connections..children..mark_in, >>> connections..children..mark_in_sa, >>> connections..children..mark_out, >>> connections..children..set_mark_in, >>> connections..children..set_mark_out >>>> Is this working on FreeBSD with ipfw? >>>> >>>> Strongswan also has the option to set the interface Id, but I believe >>> this XFRM specific option probably wont work on FreeBSD. >>>> connections..if_id_in, connections..if_id_out, >>> connections..children..if_id_in, >>> connections..children..if_id_out >>>> >>>> Is anybody else using Strongswan with ipfw and can help? -- CU, Victor Gamov