[Openswan Users] Tunneling gateway and ip_forward

Marcus Leech mleech at nortel.com
Tue Feb 22 12:48:34 CET 2005

I've used Nate Carlsons config for roadwarriors to get a gateway machine 
  based on 2.3.1dr3.

I have a gateway machine that has a temporary Internet-side interface,, plugged into
  a stub network consisting of a 8-port hub, and a laptop machine  at

The other side of the gateway is plugged into the corporate network at, and I have
  a route of 47/8 defined for the network 47 interface.  The interface is defined
  as the default route.

I can setup a roadwarrior connection from the laptop (at, 
and send pings intended
  for addresses on network 47.  Examination on the gateway indicates 
that they're making it to
  the gateway, and getting decapsulated, but not making it out onto the 
network 47 interface.
  So, I experimentally turned on ip_forward, and the packets make it out 
onto network 47
  like you'd expect.  But I *can't* leave ip_forward turned on, because 
then packets that
  aren't tunneled through IPSEC will also get forwarded between 
interfaces, which is
  VERY VERY bad for security.  Do I need to setup an iptables rule for 
the forwarding
  chain, and if so, how?

More information about the Users mailing list