[strongSwan] roadwarrior as gateway, possible?

Zesen Qian strongswan-users at riaqn.com
Wed Dec 24 12:09:51 CET 2014 

Noel Kuntze <noel at familie-kuntze.de> writes:

> Hello Zesen,
>
> You do not need a virtual IP. Route 10.0.0.0/0 == 0.0.0.0/0 throught the tunnel
> and use a passthrough policy of 10.0.0.0/0 == 10.0.0.0/0 to allow local traffic.
> Make the hosts in the LAN use your old notebook as gateway for the default route
> and it will work. I did that here at my place and it works just fine.
> See [1] for some explanation on getting routing to work.
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 23.12.2014 um 02:47 schrieb Zesen Qian:
>> Hi all,
>> I 'm configuring a special roadwarrior and I'm quite new to IPsec world,
>> so plz correct me if I'm wrong. :-)
>> I want to config it in such way:
>>
>> 0. Riaqn-Laptop is my old laptop acting as gateway in my home, the lan
>> is 10.0.0.0/24, and the external IP is dynamically allocated.
>> Riaqn-VPS is VPS, which has a static IP(that Riaqn-Laptop can
>> connect to).
>>
>> 1. Laptop as initiator, VPS as responder. Once the connection is
>> established, Laptop give the VPS a virtual IP in 10.0.0.0/24 (just as
>> the local lan machines). Does dhcp and farp plugin do the trick?
>>
>> 2. Then all outgoing traffic in the lan goes through IPsec, that is, if
>> a normal computer in the lan connecting a outside server, the server
>> should see the VPS's IP.
>>
>> Is it possible by strongswan? I 've seen lots of config examples on
>> strongswan website, but none of which is like what I said. I have
>> strugled for more than a week... BTW, is there any good article that
>> explains about traffic selector/routing in IPsec(for a beginner)?
>> Any comments is appreciated!
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Hi Noel,
   Thanks for your reply!
   I checked the URL and tried to understand it. Then I configure in
   such a way:
   1. server and client ipsec.conf is here[1]:
   2. I do some iptables stuff on the server side, just as the URL says:
      iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet0 -j MASQUERADE
      iptables -t nat  -A POSTROUTING -s 10.0.0.0/24 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
   3. Then I up the client. Once the connection is established, the
   client 's connection to everything(to Internet, to LAN) seems cut-up.
   Outer world cannot ping the client(gateway), and LAN machines
   cannot connect to it, either.
   4. However, I can connect the client from the server. I typed
   ssh 10.0.0.1 to check what happens. So this is what it looks like on
   client [2]
   5. And this is what it looks like on server [3]

   Would you help me check these infos please? BTW, do you know any
   articles explaining traffic selector/routing/stuff? I 'm really
   confused how IPsec is integrated into my network..

[1] https://bpaste.net/show/45dcd2c1100d
[2] https://bpaste.net/show/e2add2951990
[3] https://bpaste.net/show/96a7300a7e73
-- 
Zesen Qian (钱泽森)
Undergraduate
School of Software
Shanghai Jiao Tong University

More information about the Users mailing list