[Swan] Firewalld libreswan centos8

Paul Wouters paul at nohats.ca
Tue Dec 31 02:48:23 UTC 2019

On Tue, 31 Dec 2019, Ian Willis wrote:

> Doing a tcpdump on the outbound interface on the client shows a mix of IPSEC and ICMP packeting during the ping tests which initially
> confused me but appears to be normal.

It is, unless you are doing XFRMi interfaces (arriving soon) or VTI
interfaces (obsoleted soon). The problem is that tcpdump "sees" the
packet before encryption and not after encryption, and for incoming
packets sees it twice - before and after encryption. Once a virtual
interface is used, these two streams properly split between virtual
and physical interface.

> I suspect that I need to work on the packets from a postrouting perspective as the incoming packets aren't visible. I suspect that
> firewalld is more of a machine based firewall rather than a firewall proper, so my expectations may be a little high.


> On the bright side, I now have clients machines joining a private freeipa kerberos domain via an ipsec tunnel.

Do you have any documentation on this you could share with us? I'd love
to have a HOWTO written up for this!


More information about the Swan mailing list