I am trying to "enforce" IPSec (StrongSwan) traffic on openSUSE.
On OpenBSD, with the IKE daemon iked and the packet filter pf, I employ a ruleset like the following, to ensure only encapsulated traffic passes the interface, practically blocking all traffic should the tunnel be down:
block on vio1
block on enc0
pass in on vio1 proto udp from 10.1.1.2 to 10.1.0.2 \
port {500, 4500}
pass out on vio1 proto udp from 10.1.0.2 to 10.1.1.2 \
port {500, 4500}
pass in on vio1 proto esp from 10.1.1.2 to 10.1.0.2
pass out on vio1 proto esp from 10.1.0.2 to 10.1.1.2
pass in on enc0 from 10.1.1.2 to 10.1.0.2 \
keep state (if-bound)
pass out on enc0 from 10.1.0.2 to 10.1.1.2 \
keep state (if-bound)
I was unable to locate instructions on how to employ such a ruleset in firewalld based GNU/Linux systems, but might have been looking for the wrong terms. If possible, I would like to use native firewalld commands, however should these not suffice for capturing ESP packets, I assume "rich" rules could be employed just as well.
Would appreciate any help.
