[Openswan Users] access to the remote ipsec connexion on localrouter

[Jean-Francois Couture]

Ok, so given the /etc/ipsec.conf that I have:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        plutodebug="none"
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        protostack=netkey


conn watchguard
        auth=esp
        type=tunnel
        aggrmode=no
        esp=3des-sha1
        authby=secret
        keyexchange=ike
        keyingtries=0
        pfs=no
        auto=start
        ike=3des-sha1-modp768
        ikelifetime=8h
        left=<Local external IP>
        leftsubnet=192.168.112.0/24


conn watchguard-10.x
        also=watchguard
        right=<remote external IP>
        rightsubnet=192.168.10.0/24


conn watchguard-13.11
        also=watchguard
        right=<remote external IP>
        rightsubnet=192.168.13.11/32


I also need to add "leftsourceip=" the the watchguard connector ? ex. 
"leftsourceip=192.168.112.1"

Do I need a iptables policy to let the local server see the remote tunnel ?

Btw, If you have some example on the iptables policy, i'm all ears ;-)

Thanks,


Jeff C.


-----Message d'origine----- 
From: Ruben Laban
Sent: Thursday, April 21, 2011 11:05 AM
To: users at openswan.org
Subject: Re: [Openswan Users] access to the remote ipsec connexion on 
localrouter

Hi Jeff,

On Thursday 21 April 2011 at 15:15 (CET), Jean-Francois Couture wrote:
> but, on the linux router itself, I can’t ping or have access to the other
> side of the tunnel.
>
> Is there some iptables rule I need to add to make the linux router see the
> lan on the other side of the watchguard ?

Have a look at the leftsourceip= setting in the manual. You'll need to
originate your traffic from an ip that falls within leftsubnet=.

> Here are the iptables rules I have setup to make the linux LAN side see 
> the
> watchguard’s LAN side:
>
> On my setup: linux router LAN is 192.168.112.0/24
>                     watchguard LAN is 192.168.10.0/24
>
> iptables -t filter -A INPUT -p 17 --dport 500 -j ACCEPT # udp/isakmp
> iptables -t filter -A INPUT -p 50 -j ACCEPT # esp
> iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 #
> udp/isakmp iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 #
> esp
> iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
> iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
> iptables -t filter -A OUTPUT -j ACCEPT
> iptables -t filter -A FORWARD -s 192.168.112.0/24 -j ACCEPT
> iptables -t nat -I POSTROUTING -d 192.168.10.0/24 -j ACCEPT

Using fwmarks is "old", the use of the netfilter policy module is a much
cleaner approach; see: iptables -m policy -h.

Regards,
Ruben
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155