[Openswan Users] site to site ipsec VPN. local endpoint replies with a host unreachable.

Simon Deziel simon at xelerance.com
Tue Nov 26 03:32:58 UTC 2013

On 13-11-25 08:17 PM, Michael Closson wrote:
> I was able to get it working by disabling the iptables masquerade feature
> on the public interface. That is,
> *nat
> #-A POSTROUTING -o eth0 -j MASQUERADE  <<== comment out this line.
> After making that change, the site to site VPN worked perfectly.
> Seems that IP masquerading and openswan site-to-site are not compatible.
> I suppose there is a good reason for it.  The code that is responsible for
> doing the masquerade will have to be aware of which IP ranges are part of
> an openswan tunnel, and not do the address translation on them. Muddies
> the otherwise clean separation of responsibilities. Perhaps this is an
> advantage of KLIPS over NETKEY.  With KLIPS there is a different interface
> for the IP sec packets, so netfilter won't try to NAT those packets.

It's true that with KLIPS you can still use -o to decide what is
masquerade or not but you can also use Paul's suggestion to base that
decision on the destination address.

You can also tell iptables to avoid masquerading when dealing with IPsec

 -A POSTROUTING -m policy --dir out --pol ipsec -j RETURN

Just make sure to put that one above your MASQUERADE rule.


More information about the Users mailing list