[strongSwan] roadwarrior as gateway, possible?

Noel Kuntze noel at familie-kuntze.de
Tue Dec 23 19:48:28 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Zesen,

You do not need a virtual IP. Route 10.0.0.0/0 == 0.0.0.0/0 throught the tunnel
and use a passthrough policy of 10.0.0.0/0 == 10.0.0.0/0 to allow local traffic.
Make the hosts in the LAN use your old notebook as gateway for the default route
and it will work. I did that here at my place and it works just fine.
See [1] for some explanation on getting routing to work.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 23.12.2014 um 02:47 schrieb Zesen Qian:
> Hi all,
> I 'm configuring a special roadwarrior and I'm quite new to IPsec world,
> so plz correct me if I'm wrong. :-)
> I want to config it in such way:
>
> 0. Riaqn-Laptop is my old laptop acting as gateway in my home, the lan
> is 10.0.0.0/24, and the external IP is dynamically allocated.
> Riaqn-VPS is VPS, which has a static IP(that Riaqn-Laptop can
> connect to).
>
> 1. Laptop as initiator, VPS as responder. Once the connection is
> established, Laptop give the VPS a virtual IP in 10.0.0.0/24 (just as
> the local lan machines). Does dhcp and farp plugin do the trick?
>
> 2. Then all outgoing traffic in the lan goes through IPsec, that is, if
> a normal computer in the lan connecting a outside server, the server
> should see the VPS's IP.
>
> Is it possible by strongswan? I 've seen lots of config examples on
> strongswan website, but none of which is like what I said. I have
> strugled for more than a week... BTW, is there any good article that
> explains about traffic selector/routing in IPsec(for a beginner)?
> Any comments is appreciated!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUmbjzAAoJEDg5KY9j7GZYmccQAIevVRi0zlLb/zrAw3nRJY27
J/VVN7VmlTOL2E4frNykIqieS9zRNil6K4EIVVKE3hWshPFnwoInLnAwYXsmrEab
75l8EAwZxTy0+n4QGZ/An28TsXGAqPyH3pBKA86Qp7D2ksVbVjQqj+O9dE/7i4lx
HGBPJXKR3L9WriFNd6SKpajCLmVqDl+esxKbVNCyOpvtOU5krlrTOCodAq7FZk+k
R4fRDCQp14BPo2Z0C9oSIZtMwpwdWbnYPSXjrAjZBXDjyON05yHLI4XRDviKaBf5
T48JHRHIyusVaYBEevyu8vq1F7tQvcyrWBz98Ngjt+5cmONW4mY6HwZ+76V+U6Tp
Anu3w6B85KwhR0zvYZTdqfoP+EdZUIRSrHOmdcrXE/C/UiSnOtU1HAT7/Wja+idD
AfeV0ZIf1pRIO9N4ZpV1DfKax8adr3crQAANnBcABjw47MMh2wfAPfbFQRaRZfyS
0kIyidYCUpiUGKnpcee2KZLetc4BofC+G7Rk3tUGwZIbkvwAsVgK+tQwQ9SCNnrF
zL12IMtVJ5e6ipsp5D/qn+YygRAVBzNQd46D9xOhGvswZnDgokIAAeM+zneWpl7j
Sgo87obzFOkgCLqDKiF5gQev9Gm82BPeUK8hecApM1I+ncWcs9KafsGVMHMPLC+9
6pBIlp9/7gwHJ18GerdQ
=tVxj
-----END PGP SIGNATURE-----



More information about the Users mailing list