[Openswan Users] access to the remote ipsec connexion on local router

Jean-Francois Couture jfcouture at devsys-inf2001.com
Thu Apr 21 09:15:06 EDT 2011

Hi all,

I made a tunnel between openswan (as a linux router) and a watchgard X core router.

Everything works on the computers on the lan side of the linux router. (ping, access etc...)

but, on the linux router itself, I can’t ping or have access to the other side of the tunnel.

Is there some iptables rule I need to add to make the linux router see the lan on the other side of the watchguard ?

Here are the iptables rules I have setup to make the linux LAN side see the watchguard’s LAN side: 

On my setup: linux router LAN is
                    watchguard LAN is

iptables -t filter -A INPUT -p 17 --dport 500 -j ACCEPT # udp/isakmp
iptables -t filter -A INPUT -p 50 -j ACCEPT # esp
iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # udp/isakmp
iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
iptables -t filter -A OUTPUT -j ACCEPT
iptables -t filter -A FORWARD -s -j ACCEPT
iptables -t nat -I POSTROUTING -d -j ACCEPT

thanks for any help on this.

Jeff C.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110421/897c4a8a/attachment.html 

More information about the Users mailing list