[strongSwan] virtual interfaces for net to net tunneling (is it possible?)

Martin Willi martin at strongswan.org
Thu Nov 4 11:21:47 CET 2010

Hi Anthony,

> but I’m using a virtual interface to route this machines together

"virtual" interfaces (along with ifconfig) are an outdated concept on
Linux 2.6. I'd recommend the "ip" command from iproute2 to simply add an
additional address to the interface.

is external, and
is internal.

The problem is:
>     rightsourceip=
is the same subnet as on the local LAN. LAN hosts won't route traffic to
the gateway. They expect that the host is on the LAN and try to find
them with ARP.

I recently have developed the farp plugin, an ARP faker (--enable-farp).
It fakes ARP responses for all IP addresses that you have assigned to
VPN clients, allowing the gateway to route that traffic.

Also check for address conflicts, you probably will assign already used
LAN addresses to VPN clients with this config. You might have a look at
the dhcp plugin (--enable-dhcp), it gets local LAN addresses from the
DHCP server (set rightsourceip=%dhcp).

Finally double check if IP forwarding is enabled


More information about the Users mailing list