Hello,
I'm trying to set an IPSEC VPN on Centos 7. I have done with iptables on one server, but failed with firewalld configuration on another server. Here's my inputs and the error message:
firewall-cmd --zone=dmz --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --zone=dmz --permanent --add-rich-rule='rule protocol value="ah" accept'
firewall-cmd --zone=dmz --permanent --add-port=500/udp
firewall-cmd --zone=dmz --permanent --add-port=4500/udp
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --zone=dmz --permanent --add-masquerade
(All success,except the below:)
firewall-cmd --permanent --set-default-zone=dmz
(Here's the error message:)
usage: see firewall-cmd man page
Can't use stand-alone options with other options.
Any solutions? Thank you!!
IPSEC VPN firewall configuration
IPSEC VPN firewall configuration
Last edited by seashore on 2016/01/27 01:48:57, edited 1 time in total.
Re: IPSEC VPN firewall configuration
Just guessing really:
1. Check you have esp and ah in /etc/protocols
2. Check the XML files in /etc/firewalld/zones/
3. Check the error code (${?}) returned - they are in the man page it might give you a clue.
4. Remove the zone and re-add it (perhaps you have some other stuff in there from previous attempts?)
5. Do each command and check that they have been applied one at a time.
1. Check you have esp and ah in /etc/protocols
2. Check the XML files in /etc/firewalld/zones/
3. Check the error code (${?}) returned - they are in the man page it might give you a clue.
4. Remove the zone and re-add it (perhaps you have some other stuff in there from previous attempts?)
5. Do each command and check that they have been applied one at a time.
Re: IPSEC VPN firewall configuration
Thank you aks! Here's the messages:
1,esp 50 ESP # Encap Security Payload
ah 51 AH # Authentication Header
2,<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>DMZ</short>
<description>For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<port protocol="udp" port="500"/>
<port protocol="udp" port="4500"/>
<masquerade/>
<rule>
<protocol value="esp"/>
<accept/>
</rule>
<rule>
<protocol value="ah"/>
<accept/>
</rule>
</zone>
I use firewall-cmd --set-default-zone=dmz to replace firewall-cmd --permanent --set-default-zone=dmz. It works.
firewall-cmd --get-default-zone shows dmz, even after the reboot.
The following question is what does permanent do here?
1,esp 50 ESP # Encap Security Payload
ah 51 AH # Authentication Header
2,<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>DMZ</short>
<description>For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<port protocol="udp" port="500"/>
<port protocol="udp" port="4500"/>
<masquerade/>
<rule>
<protocol value="esp"/>
<accept/>
</rule>
<rule>
<protocol value="ah"/>
<accept/>
</rule>
</zone>
I use firewall-cmd --set-default-zone=dmz to replace firewall-cmd --permanent --set-default-zone=dmz. It works.
firewall-cmd --get-default-zone shows dmz, even after the reboot.
The following question is what does permanent do here?
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: IPSEC VPN firewall configuration
It saves it so it will survive a reboot.
You need to issue both commands.
You need to issue both commands.
Re: IPSEC VPN firewall configuration
Yeah so I guess set it and then set it permanent (i.e.: write to disk, not just memory).
Re: IPSEC VPN firewall configuration
Here is the reference:
Permanent Options
--permanent
The permanent option --permanent can be used to set options
permanently. These changes are not effective immediately, only
after service restart/reload or system reboot. Without the
--permanent option, a change will only be part of the runtime
configuration. The --permanent option can not be used with all
options.
If you want to make a change in runtime and permanent
configuration, use the same call with and without the--permanent
option.
The --permanent option can be optionally added to all options
further down where it is supported.
Thank you guys!
Permanent Options
--permanent
The permanent option --permanent can be used to set options
permanently. These changes are not effective immediately, only
after service restart/reload or system reboot. Without the
--permanent option, a change will only be part of the runtime
configuration. The --permanent option can not be used with all
options.
If you want to make a change in runtime and permanent
configuration, use the same call with and without the--permanent
option.
The --permanent option can be optionally added to all options
further down where it is supported.
Thank you guys!