[strongSwan] Problem setting source IP

Dietrich Feist dfeist at bgc-jena.mpg.de
Tue Jul 17 15:43:27 CEST 2012


I am trying to connect a remote site to our internal network with
strongswan. Here is my setup:

Remote site

- 1 server + additional clients on private subnet
- server is directly connected to the internet through a DSL line
- server has only one network interface (eth0), so I need virtual IPs
- server is also default gateway for clients on private subnet

IP setup on remote server

eth0:   (standard server address on remote side)
eth0:1    (default gateway address for clients)
eth0:2 (outside connection)

Local site

- several servers and clients on public subnet
- network is protected by firewall
- 1 gateway server for IPsec is reachable through firewall

IP setup on gateway server


Clients from both subnets should transparently reach each other through
the IPsec tunnel. Besides, also gateway and remote server have to be
able to talk to each other through the IPsec tunnel directly. I have
tried many configurations but only the one with the four-tunnel example
(2.3) from


works (I know this is outdated). The example 2.4 does not work at all. I
have also tried to adapt the more up-to-date example


but to no avail. The packets do not go through the tunnel and try to
take the default route instead.

With my working setup, I have one problem: packets from the remote
server appear in the local network with IP address I would
prefer to have them come in with source IP but no luck so far.

Here is my currently working setup:

# ipsec.conf - strongSwan IPsec configuration file

config setup
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        # nat_traversal=yes

conn %default

conn net-net

conn net-host

conn host-net

conn host-host

As you can see, I tried to add "rightsourceip" at several points but
every time I uncomment one of them, it breaks the connection.

I would appreciate any help, espcially hints for a less complicated setup.

Kind regards


PS: I am using strongswan 4.4.1-5.2 on Debian Squeeze on both machines.

More information about the Users mailing list