[Openswan Users] access to the remote ipsec connexion on localrouter

Jean-Francois Couture jfcouture at devsys-inf2001.com
Thu Apr 21 13:04:37 EDT 2011

Hi Paul,

Your right, I tried Ruben's tip -->  leftsourceip= and used my eth1 (LAN 
side IP) and it started to work.

looking at "route", I now see :    *        U     0      0        0 eth0

in the list. So, it does add the route.

Btw, I think that the iptables code i used on this list was yours. Thanks 
for that ;-)

Now, All I need to find is the iptables rule to let the other side see my 
local LAN :-)

Thanks for all the help.

Jeff C.

-----Message d'origine----- 
From: Paul Wouters
Sent: Thursday, April 21, 2011 12:09 PM
To: Jean-Francois Couture
Cc: Ruben Laban ; users at openswan.org
Subject: Re: [Openswan Users] access to the remote ipsec connexion on 

On Thu, 21 Apr 2011, Jean-Francois Couture wrote:

> conn watchguard
>        auth=esp
>        type=tunnel
>        aggrmode=no
>        esp=3des-sha1
>        authby=secret
>        keyexchange=ike
>        keyingtries=0
>        pfs=no
>        auto=start
>        ike=3des-sha1-modp768
>        ikelifetime=8h
>        left=<Local external IP>
>        leftsubnet=

> I also need to add "leftsourceip=" the the watchguard connector ? ex.
> "leftsourceip="


> Do I need a iptables policy to let the local server see the remote tunnel 
> ?


> Btw, If you have some example on the iptables policy, i'm all ears ;-)

What leftsource= basically does is (top of my head, not trust me on exact 

ip route add src

Normally, a host picks the "nearest" IP to use as source, but the nearest ip 
you might not be the best pick (though in this case with NAT, it might be 
the same)
if it does not fall within leftsubnet=

So, I'm not entirely use if this option will fix your case.


More information about the Users mailing list