I've got an IPsec tunnel between two gateways (OpenWRT to another linux router). Computers behind the gateways can talk to one another just fine.

However, when I try to access (i.e. ping) a device on the remote LAN from the WRT's public WAN interface (64.x.x.x to 10.10.10.11, for example), the packets get dropped. tcpdump shows the packets entering the ipsec0 interface, but no esp packets ever leave vlan1 (or enter eth0 on the remote side).

I'm using the default firewall, with the current firewal.user ruleset:

iptables -A input_rule -p esp -s $IPSEC_ENDPOINT              -j ACCEPT  # allow IPSEC
iptables -A input_rule -p udp -s $IPSEC_ENDPOINT --dport 500  -j ACCEPT  # allow ISAKMP
iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPT
iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT

Any ideas?

Thanks,

-Brian

That traffic probably doesn't match your ipsec policy. For every distinct type of traffic (i.e. every required source/destination set) you will have to define a new IPsec tunnel. You'll probably see those packets leave as regular IP packets to your upstream router, which (if properly configured) will silently drop them because they're not internet routable.

HTH

So even though the packet is entering the ipsec0 tunnel, because it has a source IP not matching the local subnet defined for my ipsec connection, it's getting dropped?

Basically.

Welcome to ipsec.