[strongSwan] Newbie question on routing of packets by vpn gateway

Ashwin Rao ashwin.shirvanthe at gmail.com
Wed Jul 11 05:14:07 CEST 2012


I have a few questions related to the internals of strongswan. I would
like to elaborate my current setup to give a context for these

I have setup a vpn gateway on an ubuntu 12.04 machine (kernel 3.2.x)
using strongswan 5.0 where my clients authenticate using xauthrsasig.
My clients use this gateway to access the Internet. My vpn gateway
lets the clients use a virtual ip in the range 192.168.1.x because I
have "rightsourceip=" in the ipsec.conf file. A packet
capture on the interface of my gateway connected to the Internet shows
the following stream of packets

1) roadwarrior-ip -----> vpn-gw-ip    ... packets are encrypted
2) 192.168.1.x -----> google-ip  ... packets are not encrypted I can
see the HTTP GET requests
3) vpn-gw-ip ---> google-ip   ...  same TCP payload but from different
source ip because my VPN gatweway is acting like NAT box connecting
192.168.1.x network to the Internet
4) google-ip ----> vpn-gw-ip  .. the response from the remote server
5) vpn-gw-ip ----> google-ip  .. packets are encrypted.

I see three packets (1,2, and 3) for each packet that my roadwarrior
client sends to google but I see only two packets (4 and 5) that are
the response from google. A previous question on the mailing list
points to the use of NETKEY implementation by strongswan that does not
use a virtual interface ipsec*. However I am not clear as to why this
happens. Sadly the documentation of NETKEY is not as clear as the
strong swan documentation. My problem is that I would like to analyze
individual tcp/udp payloads that go to and come from my roadwarrior

1) Does strongswan have access to all the packets that pass through
the VPN tunnel? Is there a module/function in strongswan system that
receives all the packets from the roadwarrior clients and packets that
are intended to be sent to a particular roadwarrior client?
2) I would like to know as to why I am able to see packets in one
direction in their raw form (with TCP/UDP payloads) but I cannot see
the TCP/UDP payloads that are a response to these packets. How and why
does NETKEY implementation affect the packets coming from the Internet
to my roadwarrior clients?
3) How does strongswan modify the routing entries? Where is this done
in the strongswan code-base? I can see "192.168.1.xx via <gateway used
by vpn server> dev eth0 proto static" on running ip route list table
4) Does the kernel maintain any mapping between the virtual ips
assigned by strongswan to a roadwarrior and the ip addresses of the
roadwarrior client? Is this mapping maintained only by strongswan or
does the kernel maintain this mapping?
4) Can you suggest a way of modifying the routes or playing with the
routing tables so that I can have access to these payloads? I would
like to use xauthrsasig for authentication and I do not want to use
l2tp or pptp for setting up the vpn gateway.
5) Has strongswan 5.0 been ported or tested on OpenBSD or FreeBSD? Can
I run a strongswan daemon (with virtual ips for clients) on OpenBSD
(or FreeBSD)?

Thanks and Regards,

More information about the Users mailing list