[Openswan Users] openSWAN to Cisco IOS
paul at xelerance.com
Sun Nov 26 13:49:59 EST 2006
On Sun, 26 Nov 2006, Christian Brechbühler wrote:
> > > initiates (ping, ssh, traceroute, http) work fine. Any connection to
> > > lithium that the gateway initiates fails. Is this normal? I suspect
> > NO,
> > > and the firewall on the gateway may be ruining things.
> > Use leftsourceip=firewallinternalIP
> Thank you! I haven't gotten it to work yet. Can you spell this out a bit
> more, please?
>From man ipsec.conf:
the IP address for this host to use when transmitting a packet
to the other side of this link. Relevant only locally, the other
end need not agree. This option is used to make the gateway
itself use its internal IP, which is part of the leftsubnet, to
communicate to the rightsubnet or right. Otherwise, it will use
its nearest IP address, which is its public IP address. This
option is mostly used when defining subnet-subnet connections,
so that the gateways can talk to each other and the subnet at
the other end, without the need to build additional host-subnet,
subnet-host and host-host tunnels.
Your gateway's public ip is not covered in the "subnet-subnet" tunnel, so it
will not get encrypted with IPsec. On top of that, because there is a
connection between the two gateways, they will refuse to communicate in the
clear, so your packet gets dropped. This is the easiest fix, and makes sure
all your communicatin between subnets and gateways happens encrypted.
Adding SNAT in the mix makes things a bit more complex. Ensure to operate
the SNAT on an interface before it hits the IPsec server, so that the
two don't bite. (or try the ipsec+snat from 2.6.17+ but someone else should
write a good description on how to do that, I've never done it myself since
I mostly use klips)
More information about the Users