[Openswan Users] openswan initiating from wrong IP, but answers with the right one

Neal Murphy neal.p.murphy at alum.wpi.edu
Fri Apr 10 04:32:56 EDT 2015

Can you use leftsourceip/rightsourceip to tell openswan which IP to use for 
that conn?

On Friday, April 10, 2015 03:05:43 AM Lennart Regner wrote:
> Hi there,
> I'm running a Debian 7.8 openswan 1:2.6.37-3+deb7u1 server with one
> external interface, but many different aliases : inet xxx.xxx.xxx.94/24
> brd xxx.xxx.xxx.255 scope global eth1
> inet xxx.xxx.xxx.93/29 brd xxx.xxx.xxx.95 scope global eth1:ovpn
> inet xxx.xxx.xxx.35/27 brd xxx.xxx.xxx.63 scope global eth1:mail1
> inet xxx.xxx.xxx.75/29 brd xxx.xxx.xxx.79 scope global eth1:mail2
> inet xxx.xxx.xxx.10/27 brd xxx.xxx.xxx.31 scope global eth1:web1
> inet xxx.xxx.xxx.82/29 brd xxx.xxx.xxx.87 scope global eth1:ipsec2
> inet xxx.xxx.xxx.36/27 brd xxx.xxx.xxx.63 scope global secondary eth1:web2
> inet xxx.xxx.xxx.76/29 brd xxx.xxx.xxx.79 scope global secondary eth1:web3
> inet xxx.xxx.xxx.3/27 brd xxx.xxx.xxx.31 scope global secondary eth1:gate1
> inet xxx.xxx.xxx.34/27 brd xxx.xxx.xxx.63 scope global secondary eth1:gate2
> inet xxx.xxx.xxx.5/27 brd xxx.xxx.xxx.31 scope global secondary eth1:mail
> inet xxx.xxx.xxx.92/29 brd xxx.xxx.xxx.95 scope global secondary eth1:ipsec
> My "main"-connections use xxx.xxx.xxx.94, but only one has to use
> xxx.xxx.xxx.92. If at my server I start up the connection using .92, all
> packets exit the interface with the .94 IP, of course getting
> NO_PROPOSAL_CHOSEN msgid=00000000 at phase 1. I also found, that all my
> other IPSec servers (creating tunnels to .94) sometimes receive ESP
> packets from .92, despite there being not a single connection using this
> IP to them. If the other side initiates the connection to .92 the server
> responds with the correct IP and the tunnel is established. Here is an
> excerpt from my ipsec.conf: uniqueids=yes
> nhelpers=0
> interfaces="ipsec0=eth1"
> conn site2site
> authby=secret
> right=xxx.xxx.xxx.92
> rightsubnet=
> rightnexthop=xxx.xxx.xxx.91
> left=xxx.xxx.xxx.21
> leftid="xxx.xxx.xxx.21"
> ikelifetime=480m
> keylife=3600s
> rekeymargin=5m
> keyingtries=0
> auto=start
> ike=3des-sha1;modp1024
> esp=3des-sha1;modp1024
> conn site2site-1
> leftsubnet=
> also=site2site
> conn site2site-2
> leftsubnet=
> also=site2site
> I tried adding an iptables rule to SNAT the packets src: .94 dst: .21 to
> source .92, but to no avail, they keep leaving from the wrong interface:
> iptables -t nat -A POSTROUTING -s xxx.xxx.xxx.94 -d xxx.xxx.xxx.21 -j SNAT
> --to-source xxx.xxx.xxx.92 Anyone got some better idea or want to point me
> in the right direction here?

More information about the Users mailing list