[Openswan Users] leftsourceip
Paul Wouters
paul at xelerance.com
Tue Dec 6 03:32:36 CET 2005
On Mon, 5 Dec 2005, Nick wrote:
> > It is dangerous to change the routing of your IPsec gateway. We prefer not
> > to do it unless absolutely neccessary.
>
> So do you mean using this parameter itself is dangerous? If so I'm a bit
> confused at exactly what the parameter does.
the paramter changes the default source address used between the two ipsec
endpoints. If those servers are expecting to talk on their public IP
addresses (eg ldap replication or something) then those communications will
fail. Also, imagine one of the servers is a DNS server on the public ip,
you won't be able to talk to it from the other end. You need to change it
to talk to the private IP instead, since no cleartext packets are allowed
between the hosts once crypto is setup for them.
We'd prefer people to realise they are changing something (that they can
change back), so that things don't seem to just break.
Paul
More information about the Users
mailing list