[Openswan Users] access to the remote ipsec connexion on local router

Ruben Laban r.laban at ism.nl
Thu Apr 21 11:05:06 EDT 2011

Hi Jeff,

On Thursday 21 April 2011 at 15:15 (CET), Jean-Francois Couture wrote:
> but, on the linux router itself, I can’t ping or have access to the other
> side of the tunnel.
> Is there some iptables rule I need to add to make the linux router see the
> lan on the other side of the watchguard ?

Have a look at the leftsourceip= setting in the manual. You'll need to 
originate your traffic from an ip that falls within leftsubnet=.

> Here are the iptables rules I have setup to make the linux LAN side see the
> watchguard’s LAN side:
> On my setup: linux router LAN is
>                     watchguard LAN is
> iptables -t filter -A INPUT -p 17 --dport 500 -j ACCEPT # udp/isakmp
> iptables -t filter -A INPUT -p 50 -j ACCEPT # esp
> iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 #
> udp/isakmp iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 #
> esp
> iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
> iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
> iptables -t filter -A OUTPUT -j ACCEPT
> iptables -t filter -A FORWARD -s -j ACCEPT
> iptables -t nat -I POSTROUTING -d -j ACCEPT

Using fwmarks is "old", the use of the netfilter policy module is a much 
cleaner approach; see: iptables -m policy -h.


More information about the Users mailing list