On Thu, Jul 13, 2017 at 07:42:47AM +0000, Madden, Joe wrote: > Hi Lennart, > > The source IP of the IPsec would be 1.1.1.1 (Its obviously not really this I > just wanted to hide my Ext IP). The source traffic to go over the IPsec VPN > would be 192.168.70.1:xxxxx to 10.190.22.0/24:9001 > > That doesn't work - But traffic from 10.190.22.0/24:xxxxx to > 192.168.70.1:5000 does work. > > It's pretty odd - I'll try leftsourceip=1.1.1.1 but I'm not sure it's going > to fix the issue.
No the left ip is the EXTERNAL ip on the left side. You need traffic to come from the INTERNAL ip on the left side or the tunnel won't forward it. leftsourceip is for the internal address to send from, not the external address. The tunnel creates a route on the left side that says 10.190.22.0 is via the right side, but by default it doesn't say what IP to use as a source when sending. The leftsourceip tells it that any traffic sent to that destination network should pick the specified source ip when sending, which has to be an address in the leftsubnet. So I meant what I wrote. > I don't have a router for 10.190.22.0/24 - It expects just to use default > route - I'll add one too to see if that makes a difference. It might. Specifying the source ip ought to make it create an explicit route then. Although I don't recall libreswan ever NOT creating a route for the remote network when I used it. -- Len Sorensen _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
