From owner-freebsd-questions@freebsd.org  Wed Dec  2 22:11:46 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id DE8784A7AEE
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Wed,  2 Dec 2020 22:11:46 +0000 (UTC)
 (envelope-from shadowomf@arcor.de)
Received: from mx009.vodafonemail.xion.oxcs.net
 (mx009.vodafonemail.xion.oxcs.net [153.92.174.39])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4CmY8x6cnwz3tHj
 for <freebsd-questions@freebsd.org>; Wed,  2 Dec 2020 22:11:45 +0000 (UTC)
 (envelope-from shadowomf@arcor.de)
Received: from vsmx002.vodafonemail.xion.oxcs.net (unknown [192.168.75.192])
 by mta-6-out.mta.xion.oxcs.net (Postfix) with ESMTP id C514B604A83
 for <freebsd-questions@freebsd.org>; Wed,  2 Dec 2020 22:11:42 +0000 (UTC)
Received: from [10.86.1.1] (unknown [46.142.4.24])
 by mta-6-out.mta.xion.oxcs.net (Postfix) with ESMTPA id 9B437604851
 for <freebsd-questions@freebsd.org>; Wed,  2 Dec 2020 22:11:40 +0000 (UTC)
Subject: Re: ipfw and strongswan
To: freebsd-questions@freebsd.org
References: <8496ba13-127f-3d6e-029b-58ee49dccfdf@arcor.de>
 <57624d27-900b-d54d-ed33-b76fabedaf48@otcnet.ru>
 <CAHu1Y72R0H2oFfY2FmWjx0saZCd4eqUdYNmq6-X2OwOp31POQg@mail.gmail.com>
From: Christoph Harder <shadowomf@arcor.de>
Autocrypt: addr=shadowomf@arcor.de; prefer-encrypt=mutual; keydata=
 mJMEXtfqExMJKyQDAwIIAQENBAMEiOcnS1zkzUiN69dDauTzK5rciVyTl/TETRsSY3UZPTyG
 DtzqCJV3gkmw8+8nfsABrct9Kes2nZcQS4Z1mYjNSjKqBrFjnOuzs2aKP9HVOxbq2O0/uQt+
 dNKj/0/OQ277YkcgmSZxLtEyFFxZ+oG/lEH1GTRG/4sQIJlYBMAD3yq0JUNocmlzdG9waCBI
 YXJkZXIgPHNoYWRvd29tZkBhcmNvci5kZT6I1gQTEwoAPhYhBJvciSrfzNhHg1EzkaNiR58/
 CtwGBQJe1+ozAhsjBQkKfRgdBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEKNiR58/CtwG
 lA4B/jca5VP9NhR9JsW+SPYYokMt3CcW9xasxukupfjmXo31yjrkNvL9ibwbs1s8d2/wg7I0
 Rwlj1uwPdUowGMP0A0gB/3Yh2WGLlseMZHwcp3Or+u67dxB5UJ3HmUkNA4IaITrWGm4spTDp
 n/jOycSa1/OPHPqrNAhPtukPsWi8Zn2qG6i4lwRe1+oTEgkrJAMDAggBAQ0EAwRzV2Ra5qRU
 wy+lalkkrRSklVgYIhKX9H4cgfbsmT+hrjs2XQFVRj2kKz5dvBVMTpO+cyxzzflHfwNJqwm4
 o/zeO25U2gplF3D19ObC7KSCBSyIopX+cp0r9Zyj+LO9BXXuy6TF0N2Oe2HLAVeyEdHc1PCu
 Op4hmD1g5BCHNx4zgAMBCgmIvgQYEwoAJhYhBJvciSrfzNhHg1EzkaNiR58/CtwGBQJe1+oT
 AhsMBQkKfRgdAAoJEKNiR58/CtwGJwYB/39UIRXG5RcGddpOoHY95z1nlSwPC1RPwEVBp39T
 hPuWeKI1l6KIh9uOuGUZt8Q37OX7eRv1Fq46qi0tSow9CpIB/1qn/rd05ShB+K31WRefy7mW
 q0vLe7Kbxcn7uXDOQ0niDmdAjpgZjXU3+7enaCD/vEMMc1geuxKDwdF4kd6+VNM=
Message-ID: <8a2cad46-2120-4c85-4fe8-6a401f18e92e@arcor.de>
Date: Wed, 2 Dec 2020 23:11:39 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101
 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <CAHu1Y72R0H2oFfY2FmWjx0saZCd4eqUdYNmq6-X2OwOp31POQg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
X-VADE-STATUS: LEGIT
X-Rspamd-Queue-Id: 4CmY8x6cnwz3tHj
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of shadowomf@arcor.de designates
 153.92.174.39 as permitted sender) smtp.mailfrom=shadowomf@arcor.de
X-Spamd-Result: default: False [-1.50 / 15.00]; RCVD_TLS_LAST(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000];
 MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[];
 RWL_MAILSPIKE_VERYGOOD(0.00)[153.92.174.39:from];
 FREEMAIL_FROM(0.00)[arcor.de]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1];
 NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_COUNT_THREE(0.00)[3];
 ARC_NA(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:153.92.174.0/24];
 RCVD_IN_DNSWL_MED(-0.20)[153.92.174.39:from];
 DMARC_NA(0.00)[arcor.de]; NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 FREEMAIL_ENVFROM(0.00)[arcor.de];
 ASN(0.00)[asn:60664, ipnet:153.92.174.0/24, country:DE];
 MIME_TRACE(0.00)[0:+]; MAILMAN_DEST(0.00)[freebsd-questions]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2020 22:11:46 -0000

Hello,

thnak you for the fast reply.
I just tested it but hadn't any luck.

First I added  if_enc_load="YES"  to  /boot/loader.conf  and rebooted.
Then I tried to capture traffic using the mask you've suggested (default) as well as the suggested masks from if_enc(4).
In either case  tcpdump -vv -i enc0  and  tcpdump -vv -i enc0 icmp  did not capture any traffic (I ensured that there was tcp and icmp traffic while testing).

Do you have any idea what the reason might be, that tcpdump can't capture the traffic from enc0?

Best regards,
Christoph


Am 01.12.2020 um 20:36 schrieb Michael Sierchio:
> Exactly.  Pay attention to the sysctl settings.  See the man page. *man enc*
> 
> net.enc.out.ipsec_bpf_mask: 3
> 
> net.enc.out.ipsec_filter_mask: 1
> 
> net.enc.in.ipsec_bpf_mask: 1
> 
> net.enc.in.ipsec_filter_mask: 1
> 
> 
> Those are my values.   YMMV
> 
> 
> 
> On Tue, Dec 1, 2020 at 10:41 AM Victor Gamov <vit@otcnet.ru> wrote:
> 
>> Hi Christoph
>>
>> You can try to use ipfw on if_enc(4) interface to control ipsec traffic.
>>
>>
>>
>> On 01/12/2020 21:00, Christoph Harder wrote:
>>> Hello everybody,
>>>
>>> I'm using "FreeBSD 12.1-RELEASE-p10 GENERIC" with "strongswan-5.9.0" for
>> VPN connections (tunnel mode) and ipfw as firewall.
>>> Currently the box is configured as VPN endpoint, but is not the main
>> gateway of the network (I'm not using it as a firewall or router for the
>> network). The box is connected by a single interface to the central network
>> switch.
>>>
>>> VPN with multiple locations is working great, but I would love to have a
>> bit more control over the actual traffic that is send and received over
>> IPsec.
>>> If the box had multiple networks connected to it on different interfaces
>> I would be able to filter on the output interface, but that's not possible
>> at the moment.
>>>
>>> Is there an easy way to have one interface for each IPsec connection
>> that can be used to filter traffic with ipfw?
>>>
>>> Strongswan also has the option to mark traffic, for example the
>> following swanctl configuration settings:
>>> connections.<conn>.children.<child>.mark_in,
>> connections.<conn>.children.<child>.mark_in_sa,
>> connections.<conn>.children.<child>.mark_out,
>> connections.<conn>.children.<child>.set_mark_in,
>> connections.<conn>.children.<child>.set_mark_out
>>> Is this working on FreeBSD with ipfw?
>>>
>>> Strongswan also has the option to set the interface Id, but I believe
>> this XFRM specific option probably wont work on FreeBSD.
>>> connections.<conn>.if_id_in, connections.<conn>.if_id_out,
>> connections.<conn>.children.<child>.if_id_in,
>> connections.<conn>.children.<child>.if_id_out
>>>
>>> Is anybody else using Strongswan with ipfw and can help?
>>
>>
>> --
>> CU,
>> Victor Gamov
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe@freebsd.org"
>>
> 
>