[Openswan Users] access to the remote ipsec connexion on localrouter

Paul Wouters paul at xelerance.com
Thu Apr 21 12:09:43 EDT 2011


On Thu, 21 Apr 2011, Jean-Francois Couture wrote:

> conn watchguard
>        auth=esp
>        type=tunnel
>        aggrmode=no
>        esp=3des-sha1
>        authby=secret
>        keyexchange=ike
>        keyingtries=0
>        pfs=no
>        auto=start
>        ike=3des-sha1-modp768
>        ikelifetime=8h
>        left=<Local external IP>
>        leftsubnet=192.168.112.0/24

> I also need to add "leftsourceip=" the the watchguard connector ? ex.
> "leftsourceip=192.168.112.1"

Yes.

> Do I need a iptables policy to let the local server see the remote tunnel ?

No.

> Btw, If you have some example on the iptables policy, i'm all ears ;-)

What leftsource= basically does is (top of my head, not trust me on exact syntax)

ip route add 192.168.10.0/24 src 192.168.112.1

Normally, a host picks the "nearest" IP to use as source, but the nearest ip for
you might not be the best pick (though in this case with NAT, it might be the same)
if it does not fall within leftsubnet=

So, I'm not entirely use if this option will fix your case.

Paul


More information about the Users mailing list