[Openswan Users] access to the remote ipsec connexion on local router
Ruben Laban
r.laban at ism.nl
Thu Apr 21 11:05:06 EDT 2011
Hi Jeff,
On Thursday 21 April 2011 at 15:15 (CET), Jean-Francois Couture wrote:
> but, on the linux router itself, I can’t ping or have access to the other
> side of the tunnel.
>
> Is there some iptables rule I need to add to make the linux router see the
> lan on the other side of the watchguard ?
Have a look at the leftsourceip= setting in the manual. You'll need to
originate your traffic from an ip that falls within leftsubnet=.
> Here are the iptables rules I have setup to make the linux LAN side see the
> watchguard’s LAN side:
>
> On my setup: linux router LAN is 192.168.112.0/24
> watchguard LAN is 192.168.10.0/24
>
> iptables -t filter -A INPUT -p 17 --dport 500 -j ACCEPT # udp/isakmp
> iptables -t filter -A INPUT -p 50 -j ACCEPT # esp
> iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 #
> udp/isakmp iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 #
> esp
> iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
> iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
> iptables -t filter -A OUTPUT -j ACCEPT
> iptables -t filter -A FORWARD -s 192.168.112.0/24 -j ACCEPT
> iptables -t nat -I POSTROUTING -d 192.168.10.0/24 -j ACCEPT
Using fwmarks is "old", the use of the netfilter policy module is a much
cleaner approach; see: iptables -m policy -h.
Regards,
Ruben
More information about the Users
mailing list