[strongSwan] VPN and mediation

Martin Willi martin at strongswan.org
Mon Dec 12 16:37:19 CET 2011

Hello Julien,

> I would like to set up a VPN where the entry point E (strongswan
> server) and the services server S are not in the same place (LAN).
> The point is that I want the traffic from clients to S not to be
> routed through E.
> In some way, E is used only to authenticate the vpn users and to setup
> the access between users and S.

By definition, an IKE established tunnel always uses the IKE endpoints
as outer tunnel addresess. This makes it relatively hard to do tunnel
encapsulation on a different IP address, at least with existing

What's the reason to have E and S in different places? What about doing
the IKE exchange (and tunnel encapsulation) with S, and handle user
authentication and policy decisions by a backend server, via RADIUS for


More information about the Users mailing list