Date: Tue, 1 Dec 2020 21:41:31 +0300 From: Victor Gamov <vit@otcnet.ru> To: freebsd-questions@freebsd.org Subject: Re: ipfw and strongswan Message-ID: <57624d27-900b-d54d-ed33-b76fabedaf48@otcnet.ru> In-Reply-To: <8496ba13-127f-3d6e-029b-58ee49dccfdf@arcor.de> References: <8496ba13-127f-3d6e-029b-58ee49dccfdf@arcor.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Christoph You can try to use ipfw on if_enc(4) interface to control ipsec traffic. On 01/12/2020 21:00, Christoph Harder wrote: > Hello everybody, > > I'm using "FreeBSD 12.1-RELEASE-p10 GENERIC" with "strongswan-5.9.0" for VPN connections (tunnel mode) and ipfw as firewall. > Currently the box is configured as VPN endpoint, but is not the main gateway of the network (I'm not using it as a firewall or router for the network). The box is connected by a single interface to the central network switch. > > VPN with multiple locations is working great, but I would love to have a bit more control over the actual traffic that is send and received over IPsec. > If the box had multiple networks connected to it on different interfaces I would be able to filter on the output interface, but that's not possible at the moment. > > Is there an easy way to have one interface for each IPsec connection that can be used to filter traffic with ipfw? > > Strongswan also has the option to mark traffic, for example the following swanctl configuration settings: > connections.<conn>.children.<child>.mark_in, connections.<conn>.children.<child>.mark_in_sa, connections.<conn>.children.<child>.mark_out, connections.<conn>.children.<child>.set_mark_in, connections.<conn>.children.<child>.set_mark_out > Is this working on FreeBSD with ipfw? > > Strongswan also has the option to set the interface Id, but I believe this XFRM specific option probably wont work on FreeBSD. > connections.<conn>.if_id_in, connections.<conn>.if_id_out, connections.<conn>.children.<child>.if_id_in, connections.<conn>.children.<child>.if_id_out > > Is anybody else using Strongswan with ipfw and can help? -- CU, Victor Gamov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57624d27-900b-d54d-ed33-b76fabedaf48>