ipfw and strongswan

Victor Gamov vit at otcnet.ru
Fri Dec 4 07:22:41 UTC 2020 

I use following settings to tcpdump some traffic:
=====
net.enc.out.ipsec_bpf_mask: 1
net.enc.out.ipsec_filter_mask: 1
net.enc.in.ipsec_bpf_mask: 2
net.enc.in.ipsec_filter_mask: 1
=====


On 03/12/2020 01:11, Christoph Harder wrote:
> Hello,
> 
> thnak you for the fast reply.
> I just tested it but hadn't any luck.
> 
> First I added  if_enc_load="YES"  to  /boot/loader.conf  and rebooted.
> Then I tried to capture traffic using the mask you've suggested (default) as well as the suggested masks from if_enc(4).
> In either case  tcpdump -vv -i enc0  and  tcpdump -vv -i enc0 icmp  did not capture any traffic (I ensured that there was tcp and icmp traffic while testing).
> 
> Do you have any idea what the reason might be, that tcpdump can't capture the traffic from enc0?
> 
> Best regards,
> Christoph
> 
> 
> Am 01.12.2020 um 20:36 schrieb Michael Sierchio:
>> Exactly.  Pay attention to the sysctl settings.  See the man page. *man enc*
>>
>> net.enc.out.ipsec_bpf_mask: 3
>>
>> net.enc.out.ipsec_filter_mask: 1
>>
>> net.enc.in.ipsec_bpf_mask: 1
>>
>> net.enc.in.ipsec_filter_mask: 1
>>
>>
>> Those are my values.   YMMV
>>
>>
>>
>> On Tue, Dec 1, 2020 at 10:41 AM Victor Gamov <vit at otcnet.ru> wrote:
>>
>>> Hi Christoph
>>>
>>> You can try to use ipfw on if_enc(4) interface to control ipsec traffic.
>>>
>>>
>>>
>>> On 01/12/2020 21:00, Christoph Harder wrote:
>>>> Hello everybody,
>>>>
>>>> I'm using "FreeBSD 12.1-RELEASE-p10 GENERIC" with "strongswan-5.9.0" for
>>> VPN connections (tunnel mode) and ipfw as firewall.
>>>> Currently the box is configured as VPN endpoint, but is not the main
>>> gateway of the network (I'm not using it as a firewall or router for the
>>> network). The box is connected by a single interface to the central network
>>> switch.
>>>>
>>>> VPN with multiple locations is working great, but I would love to have a
>>> bit more control over the actual traffic that is send and received over
>>> IPsec.
>>>> If the box had multiple networks connected to it on different interfaces
>>> I would be able to filter on the output interface, but that's not possible
>>> at the moment.
>>>>
>>>> Is there an easy way to have one interface for each IPsec connection
>>> that can be used to filter traffic with ipfw?
>>>>
>>>> Strongswan also has the option to mark traffic, for example the
>>> following swanctl configuration settings:
>>>> connections.<conn>.children.<child>.mark_in,
>>> connections.<conn>.children.<child>.mark_in_sa,
>>> connections.<conn>.children.<child>.mark_out,
>>> connections.<conn>.children.<child>.set_mark_in,
>>> connections.<conn>.children.<child>.set_mark_out
>>>> Is this working on FreeBSD with ipfw?
>>>>
>>>> Strongswan also has the option to set the interface Id, but I believe
>>> this XFRM specific option probably wont work on FreeBSD.
>>>> connections.<conn>.if_id_in, connections.<conn>.if_id_out,
>>> connections.<conn>.children.<child>.if_id_in,
>>> connections.<conn>.children.<child>.if_id_out
>>>>
>>>> Is anybody else using Strongswan with ipfw and can help?


-- 
CU,
Victor Gamov

More information about the freebsd-questions mailing list