[Firehol-support] IPSec + Firehol

[Viktor Remennik]

Hi Carlos Miguel,


Had the same issue, found no solution yet. Ii is mentioned in the docs 
that it is possible, but no clue how. The "ipsec+" interface wildcard 
mentioned, but I can't get it working. Maybe it's not suitable for 
tunnels because there's no dedicated interface for the ipsec.

Workaround is, as you noticed, just to add the raw iptables rule. I did 
it adding this to the end of the firehol.conf:


iptables -I INPUT  --match policy --pol ipsec --dir in --proto esp  -s 
172.16.0.0/16 -j ACCEPT
iptables -I OUTPUT --match policy --pol ipsec --dir out --proto esp  -d 
172.16.0.0/16 -j ACCEPT


Where 172.16.0.0./16 is the internal subnet.

No masquerading required if you use tunnel; you just connect to the 
internal network over the internet. Also, there's no new interface for 
the tunnel, so, no firehol policies will be applied. According to this 
rule, any port is accepted via tunnel.


Please let me know if you'll find a solution. I almost decided to drop 
firehol due to lack of support though. There's a lot of other firewalls 
and even raw iptables fw is better, as you see.

https://github.com/firehol/firehol/issues/323

https://serverfault.com/questions/900531/firehol-ipsec-configuration


Kind regards,
Viktor

On 7/6/18 14:00, firehol-support-request at lists.firehol.org wrote:
> Hello to all
>
> I'm trying to have an IPsec tunnel to work in my router for hosts on
> the internet and according to the strongswan documentation, I
> understand that I need to add a postrouting rule to iptables before
> the masquerade rule [1].
>
> My question is, how can I do this?
>
> I also understand that firehol also provides ipsec service rules, but
> for what I understand, that's only used to open ports.
>
> Some help would be appreciated.
>
>
> [1]:https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Hosts-on-the-Internet
>
> My regards,
> Carlos Miguel Ferreira