[Openswan Users] site to site ipsec VPN. local endpoint replies with a host unreachable.

Paul Wouters paul at nohats.ca
Tue Nov 26 02:59:55 UTC 2013

On Mon, 25 Nov 2013, Michael Closson wrote:

> I was able to get it working by disabling the iptables masquerade feature
> on the public interface. That is,
> *nat
> #-A POSTROUTING -o eth0 -j MASQUERADE  <<== comment out this line.
> After making that change, the site to site VPN worked perfectly.
> Seems that IP masquerading and openswan site-to-site are not compatible.
> I suppose there is a good reason for it.  The code that is responsible for
> doing the masquerade will have to be aware of which IP ranges are part of
> an openswan tunnel, and not do the address translation on them. Muddies
> the otherwise clean separation of responsibilities. Perhaps this is an
> advantage of KLIPS over NETKEY.  With KLIPS there is a different interface
> for the IP sec packets, so netfilter won't try to NAT those packets.

You can exclude your remote network from being masqueraded:

iptables -t nat -I POSTROUTING -d remotenet/mask -j RETURN

Be sure to Insert the rule before the above masquerade rule.

Libreswan Developer - https://libreswan.org/
Red Hat Security - http://people.redhat.com/pwouters/
Personal Blog - https://nohats.ca/

More information about the Users mailing list