[strongSwan] 回复： How to access the service on the server which actas the VPN Gateway as well?

[Aries]

Hi Martin,


Thank you for your reply.


After some experiments, I finally achieve my initial target by 
ip addr add xxx.xxx.xxx.xxx/32 dev lo
and some iptables rules for protection.


I am wondering, regarding the security issues, what is the main differences between the ip addr add and dummy interface methods?


As this link [1] suggests, the dummy interface can be replaced by the IP alias method. However as far as I know, the IP alias is also an obsolete method as well. Could you please give me some suggestions on that? Thank you.


Best regards,
Aries


[1] http://www.tldp.org/LDP/nag2/x-087-2-iface.interface.html




------------------ 原始邮件 ------------------
发件人: "Martin Willi";<martin at strongswan.org>;
发送时间: 2014年11月24日(星期一) 下午5:52
收件人: "Aries"<2232491716 at qq.com>; 
抄送: "users"<users at lists.strongswan.org>; 
主题: Re: [strongSwan] How to access the service on the server which actas the VPN Gateway as well?



Hi Aries,

> The VPN is using IKEv2 and the connections between clients and server
> established successfully. The clients are assigned virtual IPs drawn
> from a 10.0.0.0/24 pool. The clients can also access each other through
> the tunnel without a problem. However I notice that the server itself
> which acts as the VPN Gateway does not have a virtual IP address.

No, strongSwan does not automatically assign an address from that pool
to your local host. You can do this manually, though, just make sure it
is routable/accessible over the tunnel, and it doesn't conflict with
addresses actually handed out from the pool.

You may install such an address as an additional one to your primary
interface, or for better protection create a dummy interface with
appropriate routes.

Regards
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141126/cc949506/attachment-0001.html>