Adam Tauno Williams
2018-Apr-24 18:18 UTC
[CentOS] Libreswan IPSec Protected GRE Tunnel & firewall-cmd
I am attempting to setup an IPSec protected GRE tunnel with a Cisco router. I believe the IPSec association is up, however I cannot move traffic over the tunnel. It is not clear how to integrate the tunnel interface (gre1) with firewall-cmd; adding the interface to trusted does not appear to 'stick'. [root at aqueduct ~]# firewall-cmd --add-interface=gre1 --zone=trusted The interface is under control of NetworkManager and already bound to 'trusted' The interface is under control of NetworkManager, setting zone to 'trusted'. [root at aqueduct ~]# firewall-cmd --list-all --zone=trusted trusted ? target: ACCEPT ? icmp-block-inversion: no ? interfaces:? <<<< nothing ... No traffic ever appears to be received by the GRE interface. 6: gre1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1460 qdisc noqueue state UNKNOWN qlen 1 ????link/gre A.B.C.D peer X.Y.W.Z ????inet 10.65.1.1 peer 10.65.1.2/32 scope global gre1 ???????valid_lft forever preferred_lft forever ????inet6 fe80::200:5efe:4acc:1a64/64 scope link? ???????valid_lft forever preferred_lft forever [root at aqueduct ~]# ifconfig gre1 gre1: flags=209<UP,POINTOPOINT,RUNNING,NOARP>??mtu 1460 ???inet 10.65.1.1??netmask 255.255.255.255??destination 10.65.1.2 ???inet6 fe80::200:5efe:4acc:1a64??prefixlen 64??scopeid 0x20<link> ????unspec 4A-CC-1A-64-00-00-F0-00-00-00-00-00-00-00-00-00??txqueuelen 1??(UNSPEC) ???RX packets 0??bytes 0 (0.0 B) ???RX errors 0??dropped 0??overruns 0??frame 0 ???TX packets 146??bytes 12180 (11.8 KiB) ???TX errors 0??dropped 0 overruns 0??carrier 0??collisions 0 -- Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383 OpenGroupware Developer <http://www.opengroupware.us/>
Adam Tauno Williams
2018-Apr-24 20:36 UTC
[CentOS] Libreswan IPSec Protected GRE Tunnel & firewall-cmd
On Tue, 2018-04-24 at 14:18 -0400, Adam Tauno Williams wrote:> I am attempting to setup an IPSec protected GRE tunnel with a Cisco > router.??I believe the IPSec association is up, however I cannot move > traffic over the tunnel. > It is not clear how to integrate the tunnel interface (gre1) with > firewall-cmd; adding the interface to trusted does not appear to > 'stick'.While I cannot reference the interface in a firewall rule I have been able to get the tunnel operational using: firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT