Date: Fri, 4 Dec 2020 10:22:31 +0300 From: Victor Gamov <vit@otcnet.ru> To: freebsd-questions@freebsd.org Subject: Re: ipfw and strongswan Message-ID: <dc17b42c-63a3-992d-8ad0-cd742e516420@otcnet.ru> In-Reply-To: <8a2cad46-2120-4c85-4fe8-6a401f18e92e@arcor.de> References: <8496ba13-127f-3d6e-029b-58ee49dccfdf@arcor.de> <57624d27-900b-d54d-ed33-b76fabedaf48@otcnet.ru> <CAHu1Y72R0H2oFfY2FmWjx0saZCd4eqUdYNmq6-X2OwOp31POQg@mail.gmail.com> <8a2cad46-2120-4c85-4fe8-6a401f18e92e@arcor.de>
next in thread | previous in thread | raw e-mail | index | archive | help
I use following settings to tcpdump some traffic: ===== net.enc.out.ipsec_bpf_mask: 1 net.enc.out.ipsec_filter_mask: 1 net.enc.in.ipsec_bpf_mask: 2 net.enc.in.ipsec_filter_mask: 1 ===== On 03/12/2020 01:11, Christoph Harder wrote: > Hello, > > thnak you for the fast reply. > I just tested it but hadn't any luck. > > First I added if_enc_load="YES" to /boot/loader.conf and rebooted. > Then I tried to capture traffic using the mask you've suggested (default) as well as the suggested masks from if_enc(4). > In either case tcpdump -vv -i enc0 and tcpdump -vv -i enc0 icmp did not capture any traffic (I ensured that there was tcp and icmp traffic while testing). > > Do you have any idea what the reason might be, that tcpdump can't capture the traffic from enc0? > > Best regards, > Christoph > > > Am 01.12.2020 um 20:36 schrieb Michael Sierchio: >> Exactly. Pay attention to the sysctl settings. See the man page. *man enc* >> >> net.enc.out.ipsec_bpf_mask: 3 >> >> net.enc.out.ipsec_filter_mask: 1 >> >> net.enc.in.ipsec_bpf_mask: 1 >> >> net.enc.in.ipsec_filter_mask: 1 >> >> >> Those are my values. YMMV >> >> >> >> On Tue, Dec 1, 2020 at 10:41 AM Victor Gamov <vit@otcnet.ru> wrote: >> >>> Hi Christoph >>> >>> You can try to use ipfw on if_enc(4) interface to control ipsec traffic. >>> >>> >>> >>> On 01/12/2020 21:00, Christoph Harder wrote: >>>> Hello everybody, >>>> >>>> I'm using "FreeBSD 12.1-RELEASE-p10 GENERIC" with "strongswan-5.9.0" for >>> VPN connections (tunnel mode) and ipfw as firewall. >>>> Currently the box is configured as VPN endpoint, but is not the main >>> gateway of the network (I'm not using it as a firewall or router for the >>> network). The box is connected by a single interface to the central network >>> switch. >>>> >>>> VPN with multiple locations is working great, but I would love to have a >>> bit more control over the actual traffic that is send and received over >>> IPsec. >>>> If the box had multiple networks connected to it on different interfaces >>> I would be able to filter on the output interface, but that's not possible >>> at the moment. >>>> >>>> Is there an easy way to have one interface for each IPsec connection >>> that can be used to filter traffic with ipfw? >>>> >>>> Strongswan also has the option to mark traffic, for example the >>> following swanctl configuration settings: >>>> connections.<conn>.children.<child>.mark_in, >>> connections.<conn>.children.<child>.mark_in_sa, >>> connections.<conn>.children.<child>.mark_out, >>> connections.<conn>.children.<child>.set_mark_in, >>> connections.<conn>.children.<child>.set_mark_out >>>> Is this working on FreeBSD with ipfw? >>>> >>>> Strongswan also has the option to set the interface Id, but I believe >>> this XFRM specific option probably wont work on FreeBSD. >>>> connections.<conn>.if_id_in, connections.<conn>.if_id_out, >>> connections.<conn>.children.<child>.if_id_in, >>> connections.<conn>.children.<child>.if_id_out >>>> >>>> Is anybody else using Strongswan with ipfw and can help? -- CU, Victor Gamov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dc17b42c-63a3-992d-8ad0-cd742e516420>