[strongSwan] ptp where vpn servers are not gateway

Gary Smith gary.smith at holdstead.com
Tue Feb 22 19:10:14 CET 2011

In my 3 node scenario that I have a<->b, b<->c, and c<->a, the vpn server for network a isn't the default router. The default router in that case is a bridged firewall. 

I was looking at this example (http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/), which is fairly close to what I want to do in this case, but the question that I have is about the ipsec.conf settings. For left, in the case of moon, would I be using the VPN server public IP here (it's not nat'ed in this case)?

The next question I have is that I have a class C range for my DMZ at site a. If I wanted to allow PTP traffic from b and c to the DMZ over VPN, given that x.x.x.1 is the provider gateway, x.x.x.2 is my firewall and x.x.x.20 is my VPN server, is there a way to set this up? With openswan tried setting up the leftsubnet as x.x.x.x/24 left x.x.x.20 leftnexthop x.x.x.2 but that never worked. Any advice on this scenario? My alternate solution is to assign a 10.x.x.x/24 range to the DMZ side by side and route that over the VPN.


More information about the Users mailing list