[Openswan Users] OpenSwan and locally-generated traffic - SOLVED

[Paul Wouters]

On Thu, 6 Nov 2008, James Northcott / Chief Systems wrote:

> > Add the appropriate leftsourceip= and rightsourceip= options to the conn.
> These options didn't change anything for me.  I actually didn't know they even
> existed, though - they are not documented in the man page for ipsec.conf.

upgrade?

from the man page of openswan 2.4.13 or 2.6.18:

       leftsourceip
           the IP address for this host to use when transmitting a packet to
           the other side of this link. Relevant only locally, the other end
           need not agree. This option is used to make the gateway itself use
           its internal IP, which is part of the leftsubnet, to communicate to
           the rightsubnet or right. Otherwise, it will use its nearest IP
           address, which is its public IP address. This option is mostly used
           when defining subnet-subnet connections, so that the gateways can
           talk to each other and the subnet at the other end, without the
           need to build additional host-subnet, subnet-host and host-host
           tunnels. Both IPv4 and IPv6 addresses are supported.

> The magic incantation that worked for me was:
> 
> iptables -t nat -I POSTROUTING 1 -d 192.168.0.0/16 -j SNAT --to 192.168.0.10

I didn't know that finally worked on NETKEY. It didn't use to play well
with IPsec.

> This rule rewrites the source address of all packets destined for the secure
> tunnels to the local IP of the OpenSWAN machine.  This seems to force the
> packets through the tunnel.  I'm still not sure why Asterisk wasn't choosing
> the correct source IP in the first place, and I think this rule may be too

I know you can specify the bind address in Asterisk. Not sure if that also
sets the IP for outgoing connections though. 

Paul