[Openswan Users] openswan not encapsulating packets
Brian Candler
B.Candler at pobox.com
Tue May 23 09:56:13 CEST 2006
On Mon, May 22, 2006 at 10:21:52AM -0400, Andy wrote:
> On Mon, 2006-05-22 at 15:32 +0200, Leonardo Piras wrote:
> > > You are sending pings with a source IP of 172.16.0.4, but the 'leftsubnet'
> > > declaration is for 192.168.3.224/29, so the packets don't match the policy.
> > >
> > > If your client machine actually has an address on 192.168.3.224/29, then use
> > > this as the source: e.g.
> > >
> > > ping -I 192.168.3.225 100.150.1.13
> >
> > Assignign aliases and pinging with -I makes my ping answer.
> > Guess i'll have to adjust the routing now... cause everything towards
> > 100.150.1.13 has to come from that interface.
>
> You can set the source IP in the connection definition - use
> lefsourceip=<address>. That affects locally generated packets destined
> for your rightsubnet.
I don't think that's the issue. Rather, the problem is that when the
*application* tries to send a packet to that destination, the generated
packet (prior to encapsulation) has a source IP of %defaultroute. However
the tunnel's leftsubnet is for a different range.
I don't know of an easy way to fix that in Linux. In FreeBSD, you can run
applications in a jail(8) which forces them to bind to the jail's IP
address.
Perhaps he could use a NAT rule to change the source IP to the correct one.
More information about the Users
mailing list