Hi Paul, Thanks for the response,
The IPSEC connection is up running and routing. The ping tests are done to a private 10 network behind the IPSEC termination point so the only path to this network is via a tunnel. Doing a tcpdump on the outbound interface on the client shows a mix of IPSEC and ICMP packeting during the ping tests which initially confused me but appears to be normal. I suspect that I need to work on the packets from a postrouting perspective as the incoming packets aren't visible. I suspect that firewalld is more of a machine based firewall rather than a firewall proper, so my expectations may be a little high. On the bright side, I now have clients machines joining a private freeipa kerberos domain via an ipsec tunnel. Now to see if I can make home directories automount via NFS which may require solving the NAT issues and I should be mostly done. Regards Ian -----Original Message----- From: Paul Wouters <[email protected]> To: Ian Willis <[email protected]> Cc: [email protected] Subject: Re: [Swan] Firewalld libreswan centos8 Date: Mon, 30 Dec 2019 20:57:26 -0500 (EST) On Tue, 24 Dec 2019, Ian Willis wrote: While it's not really a libreswan issue I thought that someone here might be able to assist. With a datacentre network of 10.10.10.0/20 and a libreswan ipsec allocated network of ( 10.200.200.16- 10.200.200.64) ie 10.200.200.0/24 Iwant traffic to allow traffic to be able to route between the networks. I don't want to use NAT and I would like to use the firewall.The reason for not wanting NAT is that when services are consumed the source IP address is logged which is associated with an end user. I can ping between the hosts, so routing appears to be correct.Everything routes correctly when I stop firewalld. If firewalld is running, does the IPsec tunnel establish? If not, thenyou need to allow IPsec using: firewall-cmd --add-service=ipsec --permanentfirewall-cmd --reload this will ensure that IKE and IPsec packets are accepted. I had thought that this would be pretty simple with something like the following firewall-cmd --zone=work --add-rich-rule='rule family="ipv4" source address="10.200.200.0/24" destination address="10.10.10.0/20"protocol value="tcp" log level="warning" accept' However the traffic was dropped still being dropped by the firewall. I then throught that a direct rule might help. Something like firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i ens3 -o ens7 -p tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT However that didn't work either. I'm unfortunately also not that familiar with firewalld to help you further. Paul
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
