On Tue, 24 Dec 2019, Ian Willis wrote:
While it's not really a libreswan issue I thought that someone here might be
able to assist.
With a datacentre network of 10.10.10.0/20 and a libreswan ipsec allocated
network of ( 10.200.200.16- 10.200.200.64) ie 10.200.200.0/24 I
want traffic to allow traffic to be able to route between the networks. I don't
want to use NAT and I would like to use the firewall.
The reason for not wanting NAT is that when services are consumed the source IP
address is logged which is associated with an end user.
I can ping between the hosts, so routing appears to be correct.
Everything routes correctly when I stop firewalld.
If firewalld is running, does the IPsec tunnel establish? If not, then
you need to allow IPsec using:
firewall-cmd --add-service=ipsec --permanent
firewall-cmd --reload
this will ensure that IKE and IPsec packets are accepted.
I had thought that this would be pretty simple with something like the following
firewall-cmd --zone=work --add-rich-rule='rule family="ipv4" source
address="10.200.200.0/24" destination address="10.10.10.0/20"
protocol value="tcp" log level="warning" accept'
However the traffic was dropped still being dropped by the firewall.
I then throught that a direct rule might help.
Something like
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i ens3 -o
ens7 -p tcp --dport 53 -m state --state NEW,RELATED,ESTABLI
SHED -j ACCEPT
However that didn't work either.
I'm unfortunately also not that familiar with firewalld to help you further.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
