Am 06.10.2014 um 08:58 schrieb Dr. Rolf Jansen <[email protected]>:
> Am 01.10.2014 um 04:20 schrieb Martin Willi <[email protected]>:
>
>> Hi Rolf,
>>
>>> 1. Did somebody port already the farp plugin to *BSD or perhaps to Mac
>>> OS X?
>>
>> No, at least nothing has been discussed here.
>>
>>> 2. Is it feasible at all, or would proxy arp on FreeBSD not work in a
>>> similar manner as on Linux?
>>
>> I think so. farp_spoofer.c is probably the only part that needs porting,
>> and that doesn't have that much code. I'm no FreeBSD expert, but as long
>> as you have AF_PACKET and BPF it looks absolutely doable.
>>
>> As you already noticed, the most tricky part is probably to get the
>> includes right on both systems.
>
> I investigated this a little bit more, and for me the main problem is now,
> that in FreeBSD, I cannot attach a BPF to an arbitrary socket. On FreeBSD a
> BPF device must be opened, and a network interface on which to filter must be
> associated with that bpf device. In order to continue, I need to find out
> somehow an identifier of the interface which serves as the arp-proxy already
> in farp_spoofer_create(), then I could create a bpf device on each call to
> farp_spoofer_create() and associated the arp-proxy-interface with that.
>
> If a plugin in the course of instance creation could know either of the
> interface dev-name, IP- or MAC-address, then using getifaddrs(3) it should be
> possible to find out anything necessary. However, I am no more that sure that
> proxy arp on FreeBSD could work the same as on Linux.
I got a first raw version of farp_spoofer.c for FreeBSD ready, which makes use
of the BPF device instead of an AF-PACKET socket. On my FreeBSD 10
installation, strongSwan does load the farp plugin, but it does not call
farp_spoofer_create(). I added a diagnostic message at the entrance of said
routine, and according to the log file it is never called.
farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener)
{
DBG1(DBG_NET, "an ARP spoofer has been created.");
private_farp_spoofer_t *this;
struct bpf_insn arp_request_filter_code[] = {
...
I want to activate proxy-arp for a Windows client connecting via IKEv2 and
machine certificate authentication. Windows connects perfectly well, but
farp_spoofer_create() gets never called, which is quite likely not related to
my changes because these changes affect later stages only.
Question, how can I get the farp plugin to create a spoofer instance? My
ipsec.conf is:
conn IKEv2
keyexchange = ikev2
leftcert = ipsec-service-cert.pem
rightcert = ipsec-clients-cert.pem
left = %any
leftsubnet = 192.168.1.0/24
right = %any
rightdns = 192.168.1.35
rightsourceip = 192.168.1.176/28
auto = add
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
