Hi I have a ipsec tunnel deployed/configured as below:
PC1----(lan)[GW1](wan)=====IPSEC====(wan)[GW2](lan)---PC2 PC1-ipaddr: 192.168.22.x PC2-ipaddr: 192.168.25.x GW1-lan-ipaddr: 192.168.22.1 GW2-lan-ipaddr: 192.168.25.1 I see that to allow access to 192.168.22.1 from PC2 (via the ipsec tunnel) i should use the options "lefthostaccess=yes" (and also leftfirewall=yes) on GW1 And when we use the options..we have the following iptable rules added on GW1 (thru the updown script automatically whenever the tunnel is UP) --------------------------------------------------------------------------------------------------- root@lssimgw1:/usr/local/etc# iptables -nvL Chain INPUT (policy ACCEPT 52 packets, 4680 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0 * 192.168.22.0/24 192.168.25.0/24 policy match dir in pol ipsec reqid 1 proto 50 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0 * 192.168.22.0/24 192.168.25.0/24 policy match dir in pol ipsec reqid 1 proto 50 0 0 ACCEPT all -- * eth0 192.168.25.0/24 192.168.22.0/24 policy match dir out pol ipsec reqid 1 proto 50 Chain OUTPUT (policy ACCEPT 40 packets, 3976 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * eth0 192.168.25.0/24 192.168.22.0/24 policy match dir out pol ipsec reqid 1 proto 50 root@lssimgw1:/usr/local/etc# -------------------------------------------------------------------------------------------------------- - so once we have the above fw rules in place in the INPUT/OUTPUT chain,..we can access the GW1-lan-ip from PC2 via the ipsec tunnel successfully... - The similar observation is also made for using the lefthostaccess option on GW2 too.. Now if i use "righthostaccess=yes"...i dont see any rules getting added in the INPUT/OUTPUT chain...neither in GW1 or in GW2 - So my query is: whats the use of the option "righthostaccess=yes"...where and when do we use this option? thanks & regards Rajiv