From owner-freebsd-questions@freebsd.org Tue Dec 1 18:01:07 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 709704B01B1 for ; Tue, 1 Dec 2020 18:01:07 +0000 (UTC) (envelope-from shadowomf@arcor.de) Received: from vsmx009.vodafonemail.xion.oxcs.net (vsmx009.vodafonemail.xion.oxcs.net [153.92.174.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Clqf74L0Nz4dH3 for ; Tue, 1 Dec 2020 18:01:03 +0000 (UTC) (envelope-from shadowomf@arcor.de) Received: from vsmx001.vodafonemail.xion.oxcs.net (unknown [192.168.75.191]) by mta-5-out.mta.xion.oxcs.net (Postfix) with ESMTP id BB75615A1A6A for ; Tue, 1 Dec 2020 18:01:00 +0000 (UTC) Received: from [10.86.1.1] (unknown [46.142.4.24]) by mta-5-out.mta.xion.oxcs.net (Postfix) with ESMTPA id 9C65215A1A91 for ; Tue, 1 Dec 2020 18:00:58 +0000 (UTC) To: FreeBSD From: Christoph Harder Subject: ipfw and strongswan Autocrypt: addr=shadowomf@arcor.de; prefer-encrypt=mutual; keydata= mJMEXtfqExMJKyQDAwIIAQENBAMEiOcnS1zkzUiN69dDauTzK5rciVyTl/TETRsSY3UZPTyG DtzqCJV3gkmw8+8nfsABrct9Kes2nZcQS4Z1mYjNSjKqBrFjnOuzs2aKP9HVOxbq2O0/uQt+ dNKj/0/OQ277YkcgmSZxLtEyFFxZ+oG/lEH1GTRG/4sQIJlYBMAD3yq0JUNocmlzdG9waCBI YXJkZXIgPHNoYWRvd29tZkBhcmNvci5kZT6I1gQTEwoAPhYhBJvciSrfzNhHg1EzkaNiR58/ CtwGBQJe1+ozAhsjBQkKfRgdBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEKNiR58/CtwG lA4B/jca5VP9NhR9JsW+SPYYokMt3CcW9xasxukupfjmXo31yjrkNvL9ibwbs1s8d2/wg7I0 Rwlj1uwPdUowGMP0A0gB/3Yh2WGLlseMZHwcp3Or+u67dxB5UJ3HmUkNA4IaITrWGm4spTDp n/jOycSa1/OPHPqrNAhPtukPsWi8Zn2qG6i4lwRe1+oTEgkrJAMDAggBAQ0EAwRzV2Ra5qRU wy+lalkkrRSklVgYIhKX9H4cgfbsmT+hrjs2XQFVRj2kKz5dvBVMTpO+cyxzzflHfwNJqwm4 o/zeO25U2gplF3D19ObC7KSCBSyIopX+cp0r9Zyj+LO9BXXuy6TF0N2Oe2HLAVeyEdHc1PCu Op4hmD1g5BCHNx4zgAMBCgmIvgQYEwoAJhYhBJvciSrfzNhHg1EzkaNiR58/CtwGBQJe1+oT AhsMBQkKfRgdAAoJEKNiR58/CtwGJwYB/39UIRXG5RcGddpOoHY95z1nlSwPC1RPwEVBp39T hPuWeKI1l6KIh9uOuGUZt8Q37OX7eRv1Fq46qi0tSow9CpIB/1qn/rd05ShB+K31WRefy7mW q0vLe7Kbxcn7uXDOQ0niDmdAjpgZjXU3+7enaCD/vEMMc1geuxKDwdF4kd6+VNM= Message-ID: <8496ba13-127f-3d6e-029b-58ee49dccfdf@arcor.de> Date: Tue, 1 Dec 2020 19:00:55 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 8bit X-VADE-STATUS: LEGIT X-Rspamd-Queue-Id: 4Clqf74L0Nz4dH3 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of shadowomf@arcor.de designates 153.92.174.87 as permitted sender) smtp.mailfrom=shadowomf@arcor.de X-Spamd-Result: default: False [-2.37 / 15.00]; RCVD_TLS_LAST(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_SPAM_SHORT(0.03)[0.026]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_VERYGOOD(0.00)[153.92.174.87:from]; FREEMAIL_FROM(0.00)[arcor.de]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[arcor.de]; TO_DN_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:153.92.174.0/24]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[arcor.de]; ASN(0.00)[asn:60664, ipnet:153.92.174.0/24, country:DE]; MIME_TRACE(0.00)[0:+]; MAILMAN_DEST(0.00)[freebsd-questions]; RCVD_IN_DNSWL_LOW(-0.10)[153.92.174.87:from] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2020 18:01:08 -0000 Hello everybody, I'm using "FreeBSD 12.1-RELEASE-p10 GENERIC" with "strongswan-5.9.0" for VPN connections (tunnel mode) and ipfw as firewall. Currently the box is configured as VPN endpoint, but is not the main gateway of the network (I'm not using it as a firewall or router for the network). The box is connected by a single interface to the central network switch. VPN with multiple locations is working great, but I would love to have a bit more control over the actual traffic that is send and received over IPsec. If the box had multiple networks connected to it on different interfaces I would be able to filter on the output interface, but that's not possible at the moment. Is there an easy way to have one interface for each IPsec connection that can be used to filter traffic with ipfw? Strongswan also has the option to mark traffic, for example the following swanctl configuration settings: connections..children..mark_in, connections..children..mark_in_sa, connections..children..mark_out, connections..children..set_mark_in, connections..children..set_mark_out Is this working on FreeBSD with ipfw? Strongswan also has the option to set the interface Id, but I believe this XFRM specific option probably wont work on FreeBSD. connections..if_id_in, connections..if_id_out, connections..children..if_id_in, connections..children..if_id_out Is anybody else using Strongswan with ipfw and can help? Best regards, Christoph