[Openswan Users] Two questions

smonti at microtrol.com.ar smonti at microtrol.com.ar
Mon Nov 23 17:40:08 EST 2009

Dear sirs,

I'm using Openswan on Fedora 11. I've configured a tunnel between two
private LANs.

a) I've configured start=auto in ipsec.conf but when I reboot the machine,
the tunnel does not go up. IPSEC is started but the tunnel remains down. If
I run "service ipsec restart", the tunnel goes up and it works fine. It
seems any thing is not ready when ipsec starts the first time on boot.

b) I've configured iptables in order the packets flow between the LANs. The
rules work fine but I have the following problem: 

- With the tunnel up: User on LAN A does ping to a user on LAN B and he
receives the echo reply. It's OK.
- With the tunnel down: User on LAN A does ping to a user on LAN B but the
firewall does not encrypt the packet (because the tunnel is down) 
and the packet with the private addresses gets forward directly to the
Internet. Of course the packet does not progress in the Internet
and the echo reply never arrives. It's also OK. But, does exist any way to
don't forward the non encrypted packet to the Internet?
The problem derivates from the fact I need to activate a forward rule
between the private LANs in order to forward the traffic when the 
tunnel is UP but this rule should not be active when the tunnel is down. I
don't like to send fool packets to the Internet.


More information about the Users mailing list