[strongSwan] VPN Gateway behind firewall...

[Flemming Hougaard]

Hi 

I've tried to get a setup with 1x NIC behind NAT/PAT to work... But I can't seem to get it to work - The environment is looking like this:

LAN: 192.168.1.0/24 - serveraddress: 192.168.1.100/24
Client side: 10.10.0.0/16

IKE & IPSEC is redirected to the 192.168.1.100/24

I've tried to mess around with VirtIP/Dummy devices... but I've hit a dead end.

It's suppose to be a point-to-point setup, and also support the use of the Android Client and Windows 7/8

Anyone has a working setup for this to share?

Regards
Flemming

_______________________________________
Fra: Martin Willi [martin at strongswan.org]
Sendt: 23. april 2013 11:32
Til: Flemming Hougaard
Cc: users at lists.strongswan.org
Emne: Re: [strongSwan] VPN Gateway behind firewall...

Hi Flemming,

> I have an StrongSwan server placed within the LAN behind a firewall (I
> do know that it's not the best setup...) where the ports 500 & 4500
> will be opened (properly with PAT).

> Can this be done with StrongSwan at all?

Yes, running a responder behind NAT is no problem, as long as you
forward the required ports to the IPsec gateway. Even double-NAT should
be no problem, have a look at the example at [1].

> The server will be having 1 NIC, and is supposed to be used as a VPN
> gateway for "dial-up-vpns" (win 7/8) and point-to-point nailed up
> VPN's (eg. ipsec from a Astaro).

When serving Win7 clients, you'll have to assign a virtual IP. If you
want to integrate these clients transparently into your network, you can
use the DHCP [2] and farp [3] plugins ([4] for an example).

If you use a dedicated address range for virtual IPs, you'll have to
configure routing in your internal network accordingly.

Regards
Martin

[1]http://www.strongswan.org/uml/testresults/ikev2/double-nat-net/index.html
[2]http://wiki.strongswan.org/projects/strongswan/wiki/DHCPPlugin
[3]http://wiki.strongswan.org/projects/strongswan/wiki/FARPPlugin
[4]http://www.strongswan.org/uml/testresults/ikev2/dhcp-dynamic/index.html