[Swan] Firewalld libreswan centos8

Ian Willis ianw at checksum.net.au
Mon Dec 23 11:47:42 UTC 2019

Hi All,

While it's not really a libreswan issue I thought that someone here
might be able to assist.

With a datacentre network of and a libreswan ipsec
allocated network of ( ie
I want traffic to allow traffic to be able to route between the
networks. I don't want to use NAT and I would like to use the
The reason for not wanting NAT is that when services are consumed the
source IP address is logged which is associated with an end user.

I can ping between the hosts, so routing appears to be correct.
Everything routes correctly when I stop firewalld.  

I had thought that this would be pretty simple with something like the

firewall-cmd --zone=work --add-rich-rule='rule family="ipv4"   source
address="" destination address="" protocol
value="tcp" log level="warning" accept'

However the traffic was dropped still being dropped by the firewall.

I then throught that a direct rule might help.

Something like 

firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i
ens3 -o ens7 -p tcp  --dport 53 -m state --state

However that didn't work either. 

Any advice on the best way to set this up would be appreciated.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20191223/67d88ba7/attachment.html>

More information about the Swan mailing list