[strongSwan] VPN Gateway behind firewall...

Flemming Hougaard fleh at varde.dk
Thu May 2 13:25:56 CEST 2013


I've tried to get a setup with 1x NIC behind NAT/PAT to work... But I can't seem to get it to work - The environment is looking like this:

LAN: - serveraddress:
Client side:

IKE & IPSEC is redirected to the

I've tried to mess around with VirtIP/Dummy devices... but I've hit a dead end.

It's suppose to be a point-to-point setup, and also support the use of the Android Client and Windows 7/8

Anyone has a working setup for this to share?


Fra: Martin Willi [martin at strongswan.org]
Sendt: 23. april 2013 11:32
Til: Flemming Hougaard
Cc: users at lists.strongswan.org
Emne: Re: [strongSwan] VPN Gateway behind firewall...

Hi Flemming,

> I have an StrongSwan server placed within the LAN behind a firewall (I
> do know that it's not the best setup...) where the ports 500 & 4500
> will be opened (properly with PAT).

> Can this be done with StrongSwan at all?

Yes, running a responder behind NAT is no problem, as long as you
forward the required ports to the IPsec gateway. Even double-NAT should
be no problem, have a look at the example at [1].

> The server will be having 1 NIC, and is supposed to be used as a VPN
> gateway for "dial-up-vpns" (win 7/8) and point-to-point nailed up
> VPN's (eg. ipsec from a Astaro).

When serving Win7 clients, you'll have to assign a virtual IP. If you
want to integrate these clients transparently into your network, you can
use the DHCP [2] and farp [3] plugins ([4] for an example).

If you use a dedicated address range for virtual IPs, you'll have to
configure routing in your internal network accordingly.



More information about the Users mailing list