Date: Tue, 1 Dec 2020 11:36:51 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: ipfw and strongswan Message-ID: <CAHu1Y72R0H2oFfY2FmWjx0saZCd4eqUdYNmq6-X2OwOp31POQg@mail.gmail.com> In-Reply-To: <57624d27-900b-d54d-ed33-b76fabedaf48@otcnet.ru> References: <8496ba13-127f-3d6e-029b-58ee49dccfdf@arcor.de> <57624d27-900b-d54d-ed33-b76fabedaf48@otcnet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Exactly. Pay attention to the sysctl settings. See the man page. *man enc= * net.enc.out.ipsec_bpf_mask: 3 net.enc.out.ipsec_filter_mask: 1 net.enc.in.ipsec_bpf_mask: 1 net.enc.in.ipsec_filter_mask: 1 Those are my values. YMMV On Tue, Dec 1, 2020 at 10:41 AM Victor Gamov <vit@otcnet.ru> wrote: > Hi Christoph > > You can try to use ipfw on if_enc(4) interface to control ipsec traffic. > > > > On 01/12/2020 21:00, Christoph Harder wrote: > > Hello everybody, > > > > I'm using "FreeBSD 12.1-RELEASE-p10 GENERIC" with "strongswan-5.9.0" fo= r > VPN connections (tunnel mode) and ipfw as firewall. > > Currently the box is configured as VPN endpoint, but is not the main > gateway of the network (I'm not using it as a firewall or router for the > network). The box is connected by a single interface to the central netwo= rk > switch. > > > > VPN with multiple locations is working great, but I would love to have = a > bit more control over the actual traffic that is send and received over > IPsec. > > If the box had multiple networks connected to it on different interface= s > I would be able to filter on the output interface, but that's not possibl= e > at the moment. > > > > Is there an easy way to have one interface for each IPsec connection > that can be used to filter traffic with ipfw? > > > > Strongswan also has the option to mark traffic, for example the > following swanctl configuration settings: > > connections.<conn>.children.<child>.mark_in, > connections.<conn>.children.<child>.mark_in_sa, > connections.<conn>.children.<child>.mark_out, > connections.<conn>.children.<child>.set_mark_in, > connections.<conn>.children.<child>.set_mark_out > > Is this working on FreeBSD with ipfw? > > > > Strongswan also has the option to set the interface Id, but I believe > this XFRM specific option probably wont work on FreeBSD. > > connections.<conn>.if_id_in, connections.<conn>.if_id_out, > connections.<conn>.children.<child>.if_id_in, > connections.<conn>.children.<child>.if_id_out > > > > Is anybody else using Strongswan with ipfw and can help? > > > -- > CU, > Victor Gamov > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y72R0H2oFfY2FmWjx0saZCd4eqUdYNmq6-X2OwOp31POQg>