Date: Tue, 1 Dec 2020 19:00:55 +0100 From: Christoph Harder <shadowomf@arcor.de> To: FreeBSD <freebsd-questions@freebsd.org> Subject: ipfw and strongswan Message-ID: <8496ba13-127f-3d6e-029b-58ee49dccfdf@arcor.de>
next in thread | raw e-mail | index | archive | help
Hello everybody, I'm using "FreeBSD 12.1-RELEASE-p10 GENERIC" with "strongswan-5.9.0" for VPN connections (tunnel mode) and ipfw as firewall. Currently the box is configured as VPN endpoint, but is not the main gateway of the network (I'm not using it as a firewall or router for the network). The box is connected by a single interface to the central network switch. VPN with multiple locations is working great, but I would love to have a bit more control over the actual traffic that is send and received over IPsec. If the box had multiple networks connected to it on different interfaces I would be able to filter on the output interface, but that's not possible at the moment. Is there an easy way to have one interface for each IPsec connection that can be used to filter traffic with ipfw? Strongswan also has the option to mark traffic, for example the following swanctl configuration settings: connections.<conn>.children.<child>.mark_in, connections.<conn>.children.<child>.mark_in_sa, connections.<conn>.children.<child>.mark_out, connections.<conn>.children.<child>.set_mark_in, connections.<conn>.children.<child>.set_mark_out Is this working on FreeBSD with ipfw? Strongswan also has the option to set the interface Id, but I believe this XFRM specific option probably wont work on FreeBSD. connections.<conn>.if_id_in, connections.<conn>.if_id_out, connections.<conn>.children.<child>.if_id_in, connections.<conn>.children.<child>.if_id_out Is anybody else using Strongswan with ipfw and can help? Best regards, Christoph
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8496ba13-127f-3d6e-029b-58ee49dccfdf>