Hi Paul, I might be able to write up a howto at some point however I'm still stumbling over a few issues. For instance on shutdown the automount NFS mounts are being unmounted after the IPSEC tunnel terminates. I've tried the _netdev however this appears to do very little. Also having automount home directories makes firefox very slow to start. The existing environment variable fixes don't appear to do much in this regards however something like fs-cache might help. However this requires systemd to do it's job well.
There's also a few selinux bugs/configuration issues which are floating around as well in centos8 On a more positive note libreswan with a few tweaks appears to be very solid. Kind Regards -----Original Message----- From: Paul Wouters <[email protected]> To: Ian Willis <[email protected]> Cc: [email protected] Subject: Re: [Swan] Firewalld libreswan centos8 Date: Mon, 30 Dec 2019 21:48:23 -0500 (EST) On Tue, 31 Dec 2019, Ian Willis wrote: Doing a tcpdump on the outbound interface on the client shows a mix of IPSEC and ICMP packeting during the ping tests which initiallyconfused me but appears to be normal. It is, unless you are doing XFRMi interfaces (arriving soon) or VTIinterfaces (obsoleted soon). The problem is that tcpdump "sees" thepacket before encryption and not after encryption, and for incomingpackets sees it twice - before and after encryption. Once a virtualinterface is used, these two streams properly split between virtualand physical interface. I suspect that I need to work on the packets from a postrouting perspective as the incoming packets aren't visible. I suspect thatfirewalld is more of a machine based firewall rather than a firewall proper, so my expectations may be a little high. Right. On the bright side, I now have clients machines joining a private freeipa kerberos domain via an ipsec tunnel. Do you have any documentation on this you could share with us? I'd loveto have a HOWTO written up for this! Paul
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
