On Tue, 31 Dec 2019, Ian Willis wrote:
Doing a tcpdump on the outbound interface on the client shows a mix of IPSEC and ICMP packeting during the ping tests which initially confused me but appears to be normal.
It is, unless you are doing XFRMi interfaces (arriving soon) or VTI interfaces (obsoleted soon). The problem is that tcpdump "sees" the packet before encryption and not after encryption, and for incoming packets sees it twice - before and after encryption. Once a virtual interface is used, these two streams properly split between virtual and physical interface.
I suspect that I need to work on the packets from a postrouting perspective as the incoming packets aren't visible. I suspect that firewalld is more of a machine based firewall rather than a firewall proper, so my expectations may be a little high.
Right.
On the bright side, I now have clients machines joining a private freeipa kerberos domain via an ipsec tunnel.
Do you have any documentation on this you could share with us? I'd love to have a HOWTO written up for this! Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
