[strongSwan] VPN Gateway behind firewall...
Flemming Hougaard
fleh at varde.dk
Thu May 2 13:25:56 CEST 2013
Hi
I've tried to get a setup with 1x NIC behind NAT/PAT to work... But I can't seem to get it to work - The environment is looking like this:
LAN: 192.168.1.0/24 - serveraddress: 192.168.1.100/24
Client side: 10.10.0.0/16
IKE & IPSEC is redirected to the 192.168.1.100/24
I've tried to mess around with VirtIP/Dummy devices... but I've hit a dead end.
It's suppose to be a point-to-point setup, and also support the use of the Android Client and Windows 7/8
Anyone has a working setup for this to share?
Regards
Flemming
_______________________________________
Fra: Martin Willi [martin at strongswan.org]
Sendt: 23. april 2013 11:32
Til: Flemming Hougaard
Cc: users at lists.strongswan.org
Emne: Re: [strongSwan] VPN Gateway behind firewall...
Hi Flemming,
> I have an StrongSwan server placed within the LAN behind a firewall (I
> do know that it's not the best setup...) where the ports 500 & 4500
> will be opened (properly with PAT).
> Can this be done with StrongSwan at all?
Yes, running a responder behind NAT is no problem, as long as you
forward the required ports to the IPsec gateway. Even double-NAT should
be no problem, have a look at the example at [1].
> The server will be having 1 NIC, and is supposed to be used as a VPN
> gateway for "dial-up-vpns" (win 7/8) and point-to-point nailed up
> VPN's (eg. ipsec from a Astaro).
When serving Win7 clients, you'll have to assign a virtual IP. If you
want to integrate these clients transparently into your network, you can
use the DHCP [2] and farp [3] plugins ([4] for an example).
If you use a dedicated address range for virtual IPs, you'll have to
configure routing in your internal network accordingly.
Regards
Martin
[1]http://www.strongswan.org/uml/testresults/ikev2/double-nat-net/index.html
[2]http://wiki.strongswan.org/projects/strongswan/wiki/DHCPPlugin
[3]http://wiki.strongswan.org/projects/strongswan/wiki/FARPPlugin
[4]http://www.strongswan.org/uml/testresults/ikev2/dhcp-dynamic/index.html
More information about the Users
mailing list