[strongSwan] VPN client traffic through web proxy

Richard Andrews richard.andrews at symstream.com
Mon Aug 27 08:23:05 CEST 2012


Sounds like you need policy based IP routing.

eg. set up policy routing such that encrypted packets go out the
external interface, but the proxy is the next-hop for everything else.


On Thu, 2012-08-23 at 12:50 -0700, S S wrote:
> Hi there,
> 
> I'm experimenting with Strongswan and have hit a problem.
> 
> I have a setup working using IKEv2, x509 certs, and virtual IP pool.
> However internet traffic is being routed back out the VPN gateway
> external interface. I'd like to route the traffic out of a dedicated
> proxy server instead.
> 
> The setup is as follows. 
> 
> A. VPN gateway with two interfaces; one external interface facing the
> internet, one interface on the private subnet (10.0.1.0/24).
> 
> B. Internal services such as a webserver on the private subnet
> (10.0.1.0/24).
> 
> C. Proxy server with two interfaces; one external interface facing the
> internet (different from the VPN gateway), one interface on the
> private subnet (10.0.1.0/24).
> 
> VPN clients are placed in the virtual IP pool 10.0.2.0/24.
> 
> The idea is all traffic from the clients has to go through the tunnel.
> As mentioned above I can route clients to the internet popping out
> from the VPN gateway. I can also route services B through the proxy C
> successfully. However I'm unable to get VPN clients to route through
> the proxy in a similar manner. 
> 
> It seems that the iptables and table 220 rules always route through
> the interface that the connection comes in on (eth0) rather than to
> the internal interface (eth1).
> 
> Any ideas how I can correct this? I feel like there should be some
> static routes or other rules but I want to be able to scale with
> automatic rules added etc.
> 
> Many thanks,
> 7
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users





More information about the Users mailing list