[Swan] Firewalld libreswan centos8
paul at nohats.ca
Tue Dec 31 01:57:26 UTC 2019
On Tue, 24 Dec 2019, Ian Willis wrote:
> While it's not really a libreswan issue I thought that someone here might be able to assist.
> With a datacentre network of 10.10.10.0/20 and a libreswan ipsec allocated network of ( 10.200.200.16- 10.200.200.64) ie 10.200.200.0/24 I
> want traffic to allow traffic to be able to route between the networks. I don't want to use NAT and I would like to use the firewall.
> The reason for not wanting NAT is that when services are consumed the source IP address is logged which is associated with an end user.
> I can ping between the hosts, so routing appears to be correct.
> Everything routes correctly when I stop firewalld.
If firewalld is running, does the IPsec tunnel establish? If not, then
you need to allow IPsec using:
firewall-cmd --add-service=ipsec --permanent
this will ensure that IKE and IPsec packets are accepted.
> I had thought that this would be pretty simple with something like the following
> firewall-cmd --zone=work --add-rich-rule='rule family="ipv4" source address="10.200.200.0/24" destination address="10.10.10.0/20"
> protocol value="tcp" log level="warning" accept'
> However the traffic was dropped still being dropped by the firewall.
> I then throught that a direct rule might help.
> Something like
> firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i ens3 -o ens7 -p tcp --dport 53 -m state --state NEW,RELATED,ESTABLI
> SHED -j ACCEPT
> However that didn't work either.
I'm unfortunately also not that familiar with firewalld to help you further.
More information about the Swan