[strongSwan] VPN Gateway behind firewall...

Pawel Grzesik pawel.grzesik at brainstorm.co.uk
Tue Apr 23 11:51:21 CEST 2013

On 04/23/2013 10:32 AM, Martin Willi wrote:
> Hi Flemming,
>> I have an StrongSwan server placed within the LAN behind a firewall (I
>> do know that it's not the best setup...) where the ports 500 & 4500
>> will be opened (properly with PAT).
>> Can this be done with StrongSwan at all?
> Yes, running a responder behind NAT is no problem, as long as you
> forward the required ports to the IPsec gateway. Even double-NAT should
> be no problem, have a look at the example at [1].
You have a right, but I don't think that is a good idea. It's much more 
difficult to troubleshooting.
Also it depends on your network configuration, sometimes you will need 
to do much more with your routing. I think there is a doc about that: 
>> The server will be having 1 NIC, and is supposed to be used as a VPN
>> gateway for "dial-up-vpns" (win 7/8) and point-to-point nailed up
>> VPN's (eg. ipsec from a Astaro).
> When serving Win7 clients, you'll have to assign a virtual IP. If you
> want to integrate these clients transparently into your network, you can
> use the DHCP [2] and farp [3] plugins ([4] for an example).
> If you use a dedicated address range for virtual IPs, you'll have to
> configure routing in your internal network accordingly.
> Regards
> Martin
> [1]http://www.strongswan.org/uml/testresults/ikev2/double-nat-net/index.html
> [2]http://wiki.strongswan.org/projects/strongswan/wiki/DHCPPlugin
> [3]http://wiki.strongswan.org/projects/strongswan/wiki/FARPPlugin
> [4]http://www.strongswan.org/uml/testresults/ikev2/dhcp-dynamic/index.html

More information about the Users mailing list