[strongSwan] Sharing virtual IP address with IP masquerading

aecomm at ellisquarter.com aecomm at ellisquarter.com
Wed Mar 3 08:26:25 CET 2010

Hi.  I am new to strongSwan, and after examining the documentation, I do not
think it supports my particular application.  I would appreciate if someone
could help explain if I missed something, or if there is a mechanism to do
what I need.  Thanks.


I have a setup like this:


Box A (client) - Box B (VPN tunnel service with NAT-T) - Router (dynamic
NAT) - Internet - VPN Concentrator - Home Network


Box A is completely unaware of the VPN service, knowing only that Box B is
its default gateway.  Box A uses a single, static private IP address.  Box B
provides a tunneling service for Box A to the VPN Concentrator.  Everything
from Box A is tunneled to the VPNC.  (So far, this sounds a bit like
site-to-site with leftsubnet=<something>.)  But Box A needs to appear as if
it is on the home network (like a remote access application).  So as part of
IKEv2 negotiation, Box B also needs to obtain a remote IP address from the
VPNC, similar to using leftsourceip = %config.  Box B must then use this
remote IP address in its IP masquerading function.  In other words, every
packet from Box A that enters Box B must first have its source address
modified to use the remote IP address obtained from the VPNC, then the
packet is pushed into the tunnel.  The reverse occurs for packets from the
VPNC, which will be addressed to the remote IP address - packets destined
for the remote IP address must end up going through the IP masquerade
function to set the destination address back to the statically-known private
IP address of Box A.  (Box B knows the static IP address of Box A.)


I'm wondering if strongSwan has the ability to share the remote IP address
obtained from the VPNC with an IP masquerading function?


I also noticed at http://wiki.strongswan.org/wiki/1/VirtualIp that
strongSwan does not support setting both leftsourceip = %config and setting
leftsubnet to something non-empty, and I can see why given more typical
applications.  But it seemed like I needed leftsubnet non-empty to get the
SA behavior I wanted.  Can I set this up manually?


Are there any other gotchas I should look out for?


Thank you to everyone for your help.



More information about the Users mailing list