[Swan] Firewalld libreswan centos8

Ian Willis ian at checksum.net.au
Thu Jan 2 01:56:46 UTC 2020 

Hi Paul,

I might be able to write up a howto at some point however I'm still
stumbling over a few issues. 
For instance on shutdown the automount NFS mounts are being unmounted
after the IPSEC tunnel terminates. I've tried the _netdev however this
appears to do very little. 
Also having automount home directories makes firefox very slow to
start. The existing environment variable fixes don't appear to do much
in this regards however something like fs-cache might help. However
this requires systemd to do it's job well.

There's also a few selinux bugs/configuration issues which are floating
around as well in centos8

On a more positive note libreswan with a few tweaks appears to be very
solid.

Kind Regards

-----Original Message-----
From: Paul Wouters <paul at nohats.ca>
To: Ian Willis <ian at checksum.net.au>
Cc: swan at lists.libreswan.org
Subject: Re: [Swan]  Firewalld libreswan centos8
Date: Mon, 30 Dec 2019 21:48:23 -0500 (EST)

On Tue, 31 Dec 2019, Ian Willis wrote:
Doing a tcpdump on the outbound interface on the client shows a mix of
IPSEC and ICMP packeting during the ping tests which initiallyconfused
me but appears to be normal.
It is, unless you are doing XFRMi interfaces (arriving soon) or
VTIinterfaces (obsoleted soon). The problem is that tcpdump "sees"
thepacket before encryption and not after encryption, and for
incomingpackets sees it twice - before and after encryption. Once a
virtualinterface is used, these two streams properly split between
virtualand physical interface.
I suspect that I need to work on the packets from a postrouting
perspective as the incoming packets aren't visible. I suspect
thatfirewalld is more of a machine based firewall rather than a
firewall proper, so my expectations may be a little high.
Right.
On the bright side, I now have clients machines joining a private
freeipa kerberos domain via an ipsec tunnel.
Do you have any documentation on this you could share with us? I'd
loveto have a HOWTO written up for this!
Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200102/7c377d3f/attachment.html>

More information about the Swan mailing list