[strongSwan] what the use (effect) of "righthostaccess=yes"

Andreas Steffen andreas.steffen at strongswan.org
Mon Nov 20 16:29:48 CET 2017


Hi Rajiv,

if "left" is local and "right" is remote then only
leftfirewall and lefthostaccess are defined.

rightfirewall and righthostaccess are used when
"right" is local and "left" is remote as in the
following scenario where sides are swapped:

 
https://www.strongswan.net/testing/testresults/ikev2/config-payload-swapped/

Regards

Andreas

On 20.11.2017 15:15, Rajiv Kulkarni wrote:
> Hi
>
> I have a ipsec tunnel deployed/configured as below:
>
> PC1----(lan)[GW1](wan)=====IPSEC====(wan)[GW2](lan)---PC2
>
> PC1-ipaddr: 192.168.22.x
> PC2-ipaddr: 192.168.25.x
>
> GW1-lan-ipaddr: 192.168.22.1
> GW2-lan-ipaddr: 192.168.25.1
>
>
> I see that to allow access to 192.168.22.1 from PC2 (via the ipsec
> tunnel) i should use the options "lefthostaccess=yes" (and also
> leftfirewall=yes)  on GW1
>
> And when we use the options..we have the following iptable rules added
> on GW1 (thru the updown script automatically whenever the tunnel is UP)
>
> ---------------------------------------------------------------------------------------------------
> root at lssimgw1:/usr/local/etc# iptables -nvL
> Chain INPUT (policy ACCEPT 52 packets, 4680 bytes)
>   pkts bytes target     prot opt in     out     source
> destination
>      0     0 ACCEPT     all  --  eth0   * 192.168.22.0/24
> <http://192.168.22.0/24> 192.168.25.0/24 <http://192.168.25.0/24>
> policy match dir in pol ipsec reqid 1 proto 50
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>   pkts bytes target     prot opt in     out     source
> destination
>      0     0 ACCEPT     all  --  eth0   * 192.168.22.0/24
> <http://192.168.22.0/24> 192.168.25.0/24 <http://192.168.25.0/24>
> policy match dir in pol ipsec reqid 1 proto 50
>      0     0 ACCEPT     all  --  *      eth0 192.168.25.0/24
> <http://192.168.25.0/24> 192.168.22.0/24 <http://192.168.22.0/24>
> policy match dir out pol ipsec reqid 1 proto 50
>
> Chain OUTPUT (policy ACCEPT 40 packets, 3976 bytes)
>   pkts bytes target     prot opt in     out     source
> destination
>      0     0 ACCEPT     all  --  *      eth0 192.168.25.0/24
> <http://192.168.25.0/24> 192.168.22.0/24 <http://192.168.22.0/24>
> policy match dir out pol ipsec reqid 1 proto 50
> root at lssimgw1:/usr/local/etc#
> --------------------------------------------------------------------------------------------------------
>
> - so once we have the above fw rules in place in the INPUT/OUTPUT
> chain,..we can access the GW1-lan-ip from PC2 via the ipsec tunnel
> successfully...
> - The similar observation is also made for using the lefthostaccess
> option on GW2 too..
>
>
>
> Now if i use "righthostaccess=yes"...i dont see any rules getting added
> in the INPUT/OUTPUT chain...neither in GW1 or in GW2
>
> - So my query is: whats the use of the option
> "righthostaccess=yes"...where and when do we use this option?
>
>
> thanks & regards
> Rajiv
>
>
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4150 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171120/c37ef5da/attachment.bin>


More information about the Users mailing list