[strongSwan] Tunnel iteration

Kimmo Koivisto koippa at gmail.com
Tue May 8 13:31:31 CEST 2012


Hello

Is it possible to select decrypted traffic from one tunnel to another
tunnel to be encrypted?

Environment:

[A]--[B]--[C]--[D]

, where A is roadwarrior, B is strongswan server and C is another
strongswan server, D is application server.

There is a need to establish tunnel from A, so that B assigns virtual
IP-address from IP pool IP1 and acts as tunnel endpoint.
A tries to connect to D using B as VPN gateway, so there is IPSec SA
between IP1 and D and IKE SA between A and B.

Then, when B decrypts the traffic from IP1(A), it should create/use
IPsec to that traffic, there should be tunnel between B and C. So
there is IPSec SA between IP1 and D and IKE SA between B and C.

This kind of setup is supported in some commercial VPN's and is usable
in service provider (SP) scenarios where SP is the tunnel endpoint for
road warriors and the traffic is sent encrypted to customer network.
There can be many customers and thus multiple C-servers.
Of course I can do this setup with adding one more strongswan between
B and C to create site2site VPN. But is this doable without extra
server, can strongswan support this kind of tunnel/traffic iteration?

Best Regards,
Kimmo




More information about the Users mailing list