[Openswan Users] gateway-to-gateway traffic is not encrypted

Paul Wouters paul at xelerance.com
Mon Mar 7 19:55:30 CET 2005

On Mon, 7 Mar 2005, martin f krafft wrote:

> also sprach martin f krafft <madduck at madduck.net> [2005.03.06.1759 +0100]:
>> First and foremost, I noticed that while the gateways happily tunnel
>> between two networks, and also tunnel between one gateway and hosts
>> behind the other, direct traffic between the hosts is not tunneled.
>> Is this at all supported? Given a standard roadwarrior to gateway
>> configuration (using x509), how can I make sure that traffic between
>> the roadwarrior and the gateway itself is encrypted?
> Note that this works just fine if I access the other gateway using
> its internal IP on the subnet it tunnels. This makes me thing that
> it's all just a policy thing?

If your gateway uses it's public IP as source, then it will not fall
without the net-to-net ipsec policy and go out plaintext. You can
either define a host-host and/or host-net and net-host tunnels to
cover all combinations, or add a left/rightsourceip= pointing to
the internal IP address to change the default src address used
for traffic on the gateways.


More information about the Users mailing list