[Openswan Users] openSWAN to Cisco IOS

Paul Wouters paul at xelerance.com
Sun Nov 26 13:49:59 EST 2006

On Sun, 26 Nov 2006, Christian Brechbühler wrote:

> > > initiates (ping, ssh, traceroute, http) work fine.  Any connection to
> > > lithium that the gateway initiates fails.  Is this normal?  I suspect
> > NO,
> > > and the firewall on the gateway may be ruining things.
> >
> > Use leftsourceip=firewallinternalIP

> Thank you!  I haven't gotten it to work yet.  Can you spell this out a bit
> more, please?

>From man ipsec.conf:

              the IP address for this host to use when transmitting  a  packet
              to the other side of this link. Relevant only locally, the other
              end need not agree. This option is  used  to  make  the  gateway
              itself  use its internal IP, which is part of the leftsubnet, to
              communicate to the rightsubnet or right. Otherwise, it will  use
              its  nearest  IP  address,  which is its public IP address. This
              option is mostly used when defining  subnet-subnet  connections,
              so  that  the  gateways can talk to each other and the subnet at
              the other end, without the need to build additional host-subnet,
              subnet-host and host-host tunnels.

Your gateway's public ip is not covered in the "subnet-subnet" tunnel, so it
will not get encrypted with IPsec. On top of that, because there is a
connection between the two gateways, they will refuse to communicate in the
clear, so your packet gets dropped. This is the easiest fix, and makes sure
all your communicatin between subnets and gateways happens encrypted.

Adding SNAT in the mix makes things a bit more complex. Ensure to operate
the SNAT on an interface before it hits the IPsec server, so that the
two don't bite. (or try the ipsec+snat from 2.6.17+ but someone else should
write a good description on how to do that, I've never done it myself since
I mostly use klips)


More information about the Users mailing list