[strongSwan] VPN Gateway behind firewall...
pawel.grzesik at brainstorm.co.uk
Tue Apr 23 11:51:21 CEST 2013
On 04/23/2013 10:32 AM, Martin Willi wrote:
> Hi Flemming,
>> I have an StrongSwan server placed within the LAN behind a firewall (I
>> do know that it's not the best setup...) where the ports 500 & 4500
>> will be opened (properly with PAT).
>> Can this be done with StrongSwan at all?
> Yes, running a responder behind NAT is no problem, as long as you
> forward the required ports to the IPsec gateway. Even double-NAT should
> be no problem, have a look at the example at .
You have a right, but I don't think that is a good idea. It's much more
difficult to troubleshooting.
Also it depends on your network configuration, sometimes you will need
to do much more with your routing. I think there is a doc about that:
>> The server will be having 1 NIC, and is supposed to be used as a VPN
>> gateway for "dial-up-vpns" (win 7/8) and point-to-point nailed up
>> VPN's (eg. ipsec from a Astaro).
> When serving Win7 clients, you'll have to assign a virtual IP. If you
> want to integrate these clients transparently into your network, you can
> use the DHCP  and farp  plugins ( for an example).
> If you use a dedicated address range for virtual IPs, you'll have to
> configure routing in your internal network accordingly.
More information about the Users