[strongSwan] Help configuring strongSWAN for remote Windows access

ddk273 at gmail.com ddk273 at gmail.com
Fri Nov 12 14:36:50 CET 2010 

I wonder if someone can help me please.

I am trying to set up a VPN or IPSec tunnel from a Windows 7 laptop in a remote location to a Ubuntu server on my local network, so that it can access the printer there and also (and most importantly) that all its internet traffic then goes via this local network to the internet.  By 'onward internet traffic', I mean that if the remote laptop user opens a browser while connected via VPN/IPSec and visits a web page then that web page believes that the laptop is on my local network and all the resulting traffic (not just http or https) goes via my local network and its router and the VPN/IPSec channel to the remote laptop.  Although the proxy server software (squid) on the Ubuntu server does provide some of this function and the onward routing of http and https traffic, some sites seem to bypass this server and send other non-http/non-https internet traffic, e.g. video traffic, direct to the remote laptop.

I do not want any of the other Windows PCs at the remote location to gain access to the Ubuntu server and my local network but I do not mind if the other PCs on my local network are not accessible to the remote laptop when connected via VPN/IPSec.

I have tried OpenVPN and the laptop connects but I couldn't get it to push the default gateway of my local network to the Windows laptop to then access any internet sites, despite following many configuration examples, and hence it cannot then get out to the internet once connected.  I have tried OpenSWAN with xl2tpd but have not been able to get the Windows laptop to connect.  I am hoping that strongSWAN will do what I want but I really need help with the configuration files as I am totally lost as all the IP addresses are so similar and the routers at both locations do not allow me to change them to different ranges.  Note that the remote user does have an account on the Ubuntu server purely for authentication and squid uses PAM to verify they are who they are.  I have no problem generating certificates for strongSWAN as I already did this for OpenVPN.

Many thanks


Details:

Local Network:

ADSL2+ Modem/Wireless Router
  Provides DHCP in the range 192.168.1.x (cannot be changed)
  Gateway 192.168.1.1 (cannot be changed)
  External IP as provided by ISP A.B.C.D
  Supports port forwarding

Ubuntu 10.04 Server with IP address 192.168.1.200 (it only has 1 network connection: eth0)
Network Printer with IP address 192.168.1.20
A number of other PCs connected via a switch to the router and some laptops connected directly to the router via wireless.
My preferred IP range for any VPN/IPSec connected PCs would be 192.168.1.230-240

Remote Location (a different country from my local network):

WiMAX Modem/Wireless Router
  Provides DHCP in the range 192.168.1.x (cannot be changed)
  Gateway IP address: 192.168.1.1 (cannot be changed)
  External IP as provided by ISP of W.X.Y.Z

Windows 7 laptop with IP address 192.168.1.2 connected via cable to the router - this is the only one I wish to be able to connect to my local network.
Other Windows PC connected via wireless to the router: IP addresses 192.168.1.y.  These must not be able to connect to my local network.
--------------

More information about the Users mailing list