[Openswan Users] openswan not encapsulating packets

Brian Candler B.Candler at pobox.com
Tue May 23 09:56:13 CEST 2006

On Mon, May 22, 2006 at 10:21:52AM -0400, Andy wrote:
> On Mon, 2006-05-22 at 15:32 +0200, Leonardo Piras wrote:
> > > You are sending pings with a source IP of, but the 'leftsubnet'
> > > declaration is for, so the packets don't match the policy.
> > > 
> > > If your client machine actually has an address on, then use
> > > this as the source: e.g.
> > > 
> > >    ping -I
> > 
> > Assignign aliases and pinging with -I makes my ping answer.
> > Guess i'll have to adjust the routing now... cause everything towards
> > has to come from that interface.
> You can set the source IP in the connection definition - use
> lefsourceip=<address>. That affects locally generated packets destined
> for your rightsubnet.

I don't think that's the issue. Rather, the problem is that when the
*application* tries to send a packet to that destination, the generated
packet (prior to encapsulation) has a source IP of %defaultroute. However
the tunnel's leftsubnet is for a different range.

I don't know of an easy way to fix that in Linux. In FreeBSD, you can run
applications in a jail(8) which forces them to bind to the jail's IP

Perhaps he could use a NAT rule to change the source IP to the correct one.

More information about the Users mailing list