[Swan] Firewalld libreswan centos8

Paul Wouters paul at nohats.ca
Tue Dec 31 01:57:26 UTC 2019

On Tue, 24 Dec 2019, Ian Willis wrote:

> While it's not really a libreswan issue I thought that someone here might be able to assist.
> With a datacentre network of and a libreswan ipsec allocated network of ( ie I
> want traffic to allow traffic to be able to route between the networks. I don't want to use NAT and I would like to use the firewall.
> The reason for not wanting NAT is that when services are consumed the source IP address is logged which is associated with an end user.
> I can ping between the hosts, so routing appears to be correct.
> Everything routes correctly when I stop firewalld.

If firewalld is running, does the IPsec tunnel establish? If not, then
you need to allow IPsec using:

firewall-cmd --add-service=ipsec --permanent
firewall-cmd --reload

this will ensure that IKE and IPsec packets are accepted.

> I had thought that this would be pretty simple with something like the following
> firewall-cmd --zone=work --add-rich-rule='rule family="ipv4"   source address="" destination address=""
> protocol value="tcp" log level="warning" accept'
> However the traffic was dropped still being dropped by the firewall.
> I then throught that a direct rule might help.
> Something like
> firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i ens3 -o ens7 -p tcp  --dport 53 -m state --state NEW,RELATED,ESTABLI
> However that didn't work either.

I'm unfortunately also not that familiar with firewalld to help you further.


More information about the Swan mailing list