[Openswan Users] OpenSwan and locally-generated traffic - SOLVED
James Northcott / Chief Systems
james at chiefsystems.ca
Thu Nov 6 11:38:13 EST 2008
Thanks a lot for your help.
Paul Wouters wrote:
> On Wed, 5 Nov 2008, James Northcott / Chief Systems wrote:
>
>> I'm having trouble getting locally-generated traffic to pass through the
>> IPSEC tunnel.
>
> Add the appropriate leftsourceip= and rightsourceip= options to the conn.
These options didn't change anything for me. I actually didn't know
they even existed, though - they are not documented in the man page for
ipsec.conf.
>
>> I'm not sure why the first tcpdump command doesn't show packets from
>> 0.10
>> to 3.102, but things work when this is the case.
>
> Linux kernel design issue with NETKEY.
I am almost convinced to drop NETKEY and go with KLIPS - it seems a
better design to me to make the ipsec interfaces explicit.
The magic incantation that worked for me was:
iptables -t nat -I POSTROUTING 1 -d 192.168.0.0/16 -j SNAT --to 192.168.0.10
This rule rewrites the source address of all packets destined for the
secure tunnels to the local IP of the OpenSWAN machine. This seems to
force the packets through the tunnel. I'm still not sure why Asterisk
wasn't choosing the correct source IP in the first place, and I think
this rule may be too broad, but it hasn't broken anything yet, and my
tunnels all work again.
Thanks again for your help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081106/a383feaa/attachment.html
More information about the Users
mailing list