[Swan] Firewalld libreswan centos8

Ian Willis ian at checksum.net.au
Tue Dec 31 02:21:22 UTC 2019 

Hi Paul,

Thanks for the response,

The IPSEC connection is up running and routing. The ping tests are done
to a private 10 network behind the IPSEC termination point so the only
path to this network is via a tunnel. 
Doing a tcpdump on the outbound interface on the client shows a mix of
IPSEC and ICMP packeting during the ping tests which initially confused
me but appears to be normal.
I suspect that I need to work on the packets from a postrouting
perspective as the incoming packets aren't visible. I suspect that
firewalld is more of a machine based firewall rather than a firewall
proper, so my expectations may be a little high.

On the bright side, I now have clients machines joining a private
freeipa kerberos domain via an ipsec tunnel. Now to see if I can make
home directories automount via NFS which may require solving the NAT
issues and I should be mostly done.

Regards Ian


-----Original Message-----
From: Paul Wouters <paul at nohats.ca>
To: Ian Willis <ian at checksum.net.au>
Cc: swan at lists.libreswan.org
Subject: Re: [Swan]  Firewalld libreswan centos8
Date: Mon, 30 Dec 2019 20:57:26 -0500 (EST)

On Tue, 24 Dec 2019, Ian Willis wrote:
While it's not really a libreswan issue I thought that someone here
might be able to assist.
With a datacentre network of 10.10.10.0/20 and a libreswan ipsec
allocated network of ( 10.200.200.16- 10.200.200.64) ie 10.200.200.0/24
Iwant traffic to allow traffic to be able to route between the
networks. I don't want to use NAT and I would like to use the
firewall.The reason for not wanting NAT is that when services are
consumed the source IP address is logged which is associated with an
end user.
I can ping between the hosts, so routing appears to be
correct.Everything routes correctly when I stop firewalld.
If firewalld is running, does the IPsec tunnel establish? If not,
thenyou need to allow IPsec using:
firewall-cmd --add-service=ipsec --permanentfirewall-cmd --reload
this will ensure that IKE and IPsec packets are accepted.
I had thought that this would be pretty simple with something like the
following
firewall-cmd --zone=work --add-rich-rule='rule family="ipv4"   source
address="10.200.200.0/24" destination address="10.10.10.0/20"protocol
value="tcp" log level="warning" accept'
However the traffic was dropped still being dropped by the firewall.
I then throught that a direct rule might help.
Something like
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i
ens3 -o ens7 -p tcp  --dport 53 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
However that didn't work either.
I'm unfortunately also not that familiar with firewalld to help you
further.
Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20191231/aa3f9c13/attachment.html>

More information about the Swan mailing list