[strongSwan] VPN Gateway behind firewall...
martin at strongswan.org
Tue Apr 23 11:32:51 CEST 2013
> I have an StrongSwan server placed within the LAN behind a firewall (I
> do know that it's not the best setup...) where the ports 500 & 4500
> will be opened (properly with PAT).
> Can this be done with StrongSwan at all?
Yes, running a responder behind NAT is no problem, as long as you
forward the required ports to the IPsec gateway. Even double-NAT should
be no problem, have a look at the example at .
> The server will be having 1 NIC, and is supposed to be used as a VPN
> gateway for "dial-up-vpns" (win 7/8) and point-to-point nailed up
> VPN's (eg. ipsec from a Astaro).
When serving Win7 clients, you'll have to assign a virtual IP. If you
want to integrate these clients transparently into your network, you can
use the DHCP  and farp  plugins ( for an example).
If you use a dedicated address range for virtual IPs, you'll have to
configure routing in your internal network accordingly.
More information about the Users