[strongSwan-dev] Proxy ARP plugin farp or FreeBSD

Dr. Rolf Jansen rj at obsigna.com
Thu Oct 9 19:47:27 CEST 2014

Am 06.10.2014 um 08:58 schrieb Dr. Rolf Jansen <rj at obsigna.com>:

> Am 01.10.2014 um 04:20 schrieb Martin Willi <martin at strongswan.org>:
>> Hi Rolf,
>>> 1. Did somebody port already the farp plugin to *BSD or perhaps to Mac
>>>  OS X?
>> No, at least nothing has been discussed here.
>>> 2. Is it feasible at all, or would proxy arp on FreeBSD not work in a
>>>  similar manner as on Linux?
>> I think so. farp_spoofer.c is probably the only part that needs porting,
>> and that doesn't have that much code. I'm no FreeBSD expert, but as long
>> as you have AF_PACKET and BPF it looks absolutely doable. 
>> As you already noticed, the most tricky part is probably to get the
>> includes right on both systems.
> I investigated this a little bit more, and for me the main problem is now, that in FreeBSD, I cannot attach a BPF to an arbitrary socket. On FreeBSD a BPF device must be opened, and a network interface on which to filter must be associated with that bpf device. In order to continue, I need to find out somehow an identifier of the interface which serves as the arp-proxy already in farp_spoofer_create(), then I could create a bpf device on each call to farp_spoofer_create() and associated the arp-proxy-interface with that.
> If a plugin in the course of instance creation could know either of the interface dev-name, IP- or MAC-address, then using getifaddrs(3) it should be possible to find out anything necessary. However, I am no more that sure that proxy arp on FreeBSD could work the same as on Linux.

I got a first raw version of farp_spoofer.c for FreeBSD ready, which makes use of the BPF device instead of an AF-PACKET socket. On my FreeBSD 10 installation, strongSwan does load the farp plugin, but it does not call farp_spoofer_create(). I added a diagnostic message at the entrance of said routine, and according to the log file it is never called.

farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener)
    DBG1(DBG_NET, "an ARP spoofer has been created.");

	private_farp_spoofer_t *this;
	struct bpf_insn arp_request_filter_code[] = {

I want to activate proxy-arp for a Windows client connecting via IKEv2 and machine certificate authentication. Windows connects perfectly well, but farp_spoofer_create() gets never called, which is quite likely not related to my changes because these changes affect later stages only.

Question, how can I get the farp plugin to create a spoofer instance? My ipsec.conf is:

conn IKEv2
   keyexchange = ikev2
   leftcert = ipsec-service-cert.pem
   rightcert = ipsec-clients-cert.pem
   left = %any
   leftsubnet =
   right = %any
   rightdns =
   rightsourceip =
   auto = add

More information about the Dev mailing list