[Openswan Users] access to the remote ipsec connexion on localrouter
Jean-Francois Couture
jfcouture at devsys-inf2001.com
Thu Apr 21 13:04:37 EDT 2011
Hi Paul,
Your right, I tried Ruben's tip --> leftsourceip= and used my eth1 (LAN
side IP) and it started to work.
looking at "route", I now see :
192.168.10.0 * 255.255.255.0 U 0 0 0 eth0
in the list. So, it does add the route.
Btw, I think that the iptables code i used on this list was yours. Thanks
for that ;-)
Now, All I need to find is the iptables rule to let the other side see my
local LAN :-)
Thanks for all the help.
Jeff C.
-----Message d'origine-----
From: Paul Wouters
Sent: Thursday, April 21, 2011 12:09 PM
To: Jean-Francois Couture
Cc: Ruben Laban ; users at openswan.org
Subject: Re: [Openswan Users] access to the remote ipsec connexion on
localrouter
On Thu, 21 Apr 2011, Jean-Francois Couture wrote:
> conn watchguard
> auth=esp
> type=tunnel
> aggrmode=no
> esp=3des-sha1
> authby=secret
> keyexchange=ike
> keyingtries=0
> pfs=no
> auto=start
> ike=3des-sha1-modp768
> ikelifetime=8h
> left=<Local external IP>
> leftsubnet=192.168.112.0/24
> I also need to add "leftsourceip=" the the watchguard connector ? ex.
> "leftsourceip=192.168.112.1"
Yes.
> Do I need a iptables policy to let the local server see the remote tunnel
> ?
No.
> Btw, If you have some example on the iptables policy, i'm all ears ;-)
What leftsource= basically does is (top of my head, not trust me on exact
syntax)
ip route add 192.168.10.0/24 src 192.168.112.1
Normally, a host picks the "nearest" IP to use as source, but the nearest ip
for
you might not be the best pick (though in this case with NAT, it might be
the same)
if it does not fall within leftsubnet=
So, I'm not entirely use if this option will fix your case.
Paul
More information about the Users
mailing list