[strongSwan] what the use (effect) of "righthostaccess=yes"

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Mon Nov 20 15:15:08 CET 2017 

Hi

I have a ipsec tunnel deployed/configured as below:

PC1----(lan)[GW1](wan)=====IPSEC====(wan)[GW2](lan)---PC2

PC1-ipaddr: 192.168.22.x
PC2-ipaddr: 192.168.25.x

GW1-lan-ipaddr: 192.168.22.1
GW2-lan-ipaddr: 192.168.25.1


I see that to allow access to 192.168.22.1 from PC2 (via the ipsec tunnel)
i should use the options "lefthostaccess=yes" (and also leftfirewall=yes)
on GW1

And when we use the options..we have the following iptable rules added on
GW1 (thru the updown script automatically whenever the tunnel is UP)

---------------------------------------------------------------------------------------------------
root at lssimgw1:/usr/local/etc# iptables -nvL
Chain INPUT (policy ACCEPT 52 packets, 4680 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  eth0   *       192.168.22.0/24
192.168.25.0/24      policy match dir in pol ipsec reqid 1 proto 50

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  eth0   *       192.168.22.0/24
192.168.25.0/24      policy match dir in pol ipsec reqid 1 proto 50
    0     0 ACCEPT     all  --  *      eth0    192.168.25.0/24
192.168.22.0/24      policy match dir out pol ipsec reqid 1 proto 50

Chain OUTPUT (policy ACCEPT 40 packets, 3976 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  *      eth0    192.168.25.0/24
192.168.22.0/24      policy match dir out pol ipsec reqid 1 proto 50
root at lssimgw1:/usr/local/etc#
--------------------------------------------------------------------------------------------------------

- so once we have the above fw rules in place in the INPUT/OUTPUT
chain,..we can access the GW1-lan-ip from PC2 via the ipsec tunnel
successfully...
- The similar observation is also made for using the lefthostaccess option
on GW2 too..



Now if i use "righthostaccess=yes"...i dont see any rules getting added in
the INPUT/OUTPUT chain...neither in GW1 or in GW2

- So my query is: whats the use of the option "righthostaccess=yes"...where
and when do we use this option?


thanks & regards
Rajiv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171120/2d2dd591/attachment.html>

More information about the Users mailing list