[strongSwan] Home network config

Daniel Mentz danielml+mailinglists.strongswan at sent.com
Fri Feb 19 14:48:54 CET 2010

Hi Raza,

I never used the L2TP/IPsec client so I can't tell how to set it up.

If you want to use plain IPsec you have - in my opinion - the following 

WindowsXP + NCP Secure Entry Client for Win32/64 (142 EUR)
WindowsXP + Shrew Soft VPN client (free of charge)
Windows 7 + NCP Secure Entry Client for Win32/64 (142 EUR)

Windows 7 + built-in IKEv2 VPN client

If you decide to use IKEv1, you are going to setup the pluto daemon 
(plutostart=yes). If you want to use IKEv2 you are going to use the 
charon daemon on the strongSwan side.

You have to make sure that your NAT router forwards packets destined for to your strongSwan box.

Do you know how to create X.509 certificates?

If you want to use Windows 7 you could use a connection definition which 
is similar to

config setup

conn win7

There's one issue I have with Windows 7: The native IPsec client sends 
all IP traffic through the IPsec tunnel; even traffic that is not 
destined for your home network. As a consequence, if the road warrior 
accesses some site on the internet, the traffic will be sent through 
your strongSwan box at home.


Razza wrote:
> Hi Daniel,
> I was thinking of the bundled L2TP/IPsec client, I don't mind paying for 
> a VPN client if there are better/more flexible options. If the client is 
> over £30 ($40) I would rather just buy Win 7.
> I am happy with a different range, say 
> <> for the VPN users.
> Kind regards,
> On 19 February 2010 12:29, Daniel Mentz 
> <danielml+mailinglists.strongswan at sent.com 
> <mailto:danielml%2Bmailinglists.strongswan at sent.com>> wrote:
>     Hi Razza,
>     you need to setup your DSL/NAT Router to forward UDP datagrams
>     destined for ports 500 and 4500 to your strongSwan box.
>     You said that you want to allocate IP addresses for road warriors
>     inside the <> range. This
>     could be difficult to achieve. Can you waive this requirement and
>     come up with a separate IP prefix for road warriors? Like
>     10.x.y.0/24? This would make things much easier.
>     I'm using this kind of setup for Win7 clients. Which IPsec client
>     software do you want to use on Windows XP?
>     -Daniel
>     Razza wrote:
>         Hi all, I’m new to the list and am looking for a bit of advice.
>         I’ve looked
>         around but can’t find any examples close to what I want to
>         achieve, probably
>         because it’s flawed from a purists security view point. Anyway,
>         I want to
>         use strongSwan in a home network environment, mainly so I can
>         access home
>         network machines whilst I’m away. E.g. ssh to my asterisk
>         server, RDP/VNC to
>         my partners machine etc.
>         My network is as follows –
> <> -- | | |
>         Dynamic RIPE IP | -- Internet
>          Home Network     |  Inside i/f  | |   Outside i/f   |
>                           |         DSL/NAT Router           |
>         As I only have a single RIPE address on my DSL, I intend to port
>         forward
>         necessary ports to a single interface on my strongSwan box.
>         My strongSwan box will have an address in the range
> <>. I would
>         prefer to have a singe physical interface if possible, but could
>         have two.
>         When I connect from an internet connected machine (soon Win7,
>         currently XP),
>         I would like to be allocated a virtual IP in the range of my
>         home network (
> <>).
>         Is this possible?
>         _______________________________________________
>         Users mailing list
>         Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>         https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list