[strongSwan] VPN Gateway behind firewall...

Martin Willi martin at strongswan.org
Tue Apr 23 11:32:51 CEST 2013


Hi Flemming,

> I have an StrongSwan server placed within the LAN behind a firewall (I
> do know that it's not the best setup...) where the ports 500 & 4500
> will be opened (properly with PAT).

> Can this be done with StrongSwan at all?

Yes, running a responder behind NAT is no problem, as long as you
forward the required ports to the IPsec gateway. Even double-NAT should
be no problem, have a look at the example at [1].

> The server will be having 1 NIC, and is supposed to be used as a VPN
> gateway for "dial-up-vpns" (win 7/8) and point-to-point nailed up
> VPN's (eg. ipsec from a Astaro).

When serving Win7 clients, you'll have to assign a virtual IP. If you
want to integrate these clients transparently into your network, you can
use the DHCP [2] and farp [3] plugins ([4] for an example).

If you use a dedicated address range for virtual IPs, you'll have to
configure routing in your internal network accordingly.

Regards
Martin

[1]http://www.strongswan.org/uml/testresults/ikev2/double-nat-net/index.html
[2]http://wiki.strongswan.org/projects/strongswan/wiki/DHCPPlugin
[3]http://wiki.strongswan.org/projects/strongswan/wiki/FARPPlugin
[4]http://www.strongswan.org/uml/testresults/ikev2/dhcp-dynamic/index.html






More information about the Users mailing list