[Openswan Users] site to site ipsec VPN. local endpoint replies with a host unreachable.
Paul Wouters
paul at nohats.ca
Tue Nov 26 02:59:55 UTC 2013
On Mon, 25 Nov 2013, Michael Closson wrote:
> I was able to get it working by disabling the iptables masquerade feature
> on the public interface. That is,
>
> *nat
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> #-A POSTROUTING -o eth0 -j MASQUERADE <<== comment out this line.
>
>
> After making that change, the site to site VPN worked perfectly.
> Seems that IP masquerading and openswan site-to-site are not compatible.
> I suppose there is a good reason for it. The code that is responsible for
> doing the masquerade will have to be aware of which IP ranges are part of
> an openswan tunnel, and not do the address translation on them. Muddies
> the otherwise clean separation of responsibilities. Perhaps this is an
> advantage of KLIPS over NETKEY. With KLIPS there is a different interface
> for the IP sec packets, so netfilter won't try to NAT those packets.
You can exclude your remote network from being masqueraded:
iptables -t nat -I POSTROUTING -d remotenet/mask -j RETURN
Be sure to Insert the rule before the above masquerade rule.
Paul
--
Libreswan Developer - https://libreswan.org/
Red Hat Security - http://people.redhat.com/pwouters/
Personal Blog - https://nohats.ca/
More information about the Users
mailing list