[strongSwan] roadwarrior as gateway, possible?

Noel Kuntze noel at familie-kuntze.de
Wed Dec 24 13:53:00 CET 2014

Hash: SHA256

Oh, and furthermore,
1) you also need to except IPsec traffic from NAT on your client.
2) You need to clean up your MASQUERADE rules on your server.
    A correct iptables rule set for you looks like this:
    iptables -t nat -A POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
    iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 24.12.2014 um 12:09 schrieb Zesen Qian:
> Noel Kuntze <noel at familie-kuntze.de> writes:
>> Hello Zesen,
>> You do not need a virtual IP. Route == throught the tunnel
>> and use a passthrough policy of == to allow local traffic.
>> Make the hosts in the LAN use your old notebook as gateway for the default route
>> and it will work. I did that here at my place and it works just fine.
>> See [1] for some explanation on getting routing to work.
>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> Am 23.12.2014 um 02:47 schrieb Zesen Qian:
>>> Hi all,
>>> I 'm configuring a special roadwarrior and I'm quite new to IPsec world,
>>> so plz correct me if I'm wrong. :-)
>>> I want to config it in such way:
>>> 0. Riaqn-Laptop is my old laptop acting as gateway in my home, the lan
>>> is, and the external IP is dynamically allocated.
>>> Riaqn-VPS is VPS, which has a static IP(that Riaqn-Laptop can
>>> connect to).
>>> 1. Laptop as initiator, VPS as responder. Once the connection is
>>> established, Laptop give the VPS a virtual IP in (just as
>>> the local lan machines). Does dhcp and farp plugin do the trick?
>>> 2. Then all outgoing traffic in the lan goes through IPsec, that is, if
>>> a normal computer in the lan connecting a outside server, the server
>>> should see the VPS's IP.
>>> Is it possible by strongswan? I 've seen lots of config examples on
>>> strongswan website, but none of which is like what I said. I have
>>> strugled for more than a week... BTW, is there any good article that
>>> explains about traffic selector/routing in IPsec(for a beginner)?
>>> Any comments is appreciated!
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> Hi Noel,
>    Thanks for your reply!
>    I checked the URL and tried to understand it. Then I configure in
>    such a way:
>    1. server and client ipsec.conf is here[1]:
>    2. I do some iptables stuff on the server side, just as the URL says:
>       iptables -t nat -A POSTROUTING -s -o venet0 -j MASQUERADE
>       iptables -t nat  -A POSTROUTING -s -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
>    3. Then I up the client. Once the connection is established, the
>    client 's connection to everything(to Internet, to LAN) seems cut-up.
>    Outer world cannot ping the client(gateway), and LAN machines
>    cannot connect to it, either.
>    4. However, I can connect the client from the server. I typed
>    ssh to check what happens. So this is what it looks like on
>    client [2]
>    5. And this is what it looks like on server [3]
>    Would you help me check these infos please? BTW, do you know any
>    articles explaining traffic selector/routing/stuff? I 'm really
>    confused how IPsec is integrated into my network..
> [1] https://bpaste.net/show/45dcd2c1100d
> [2] https://bpaste.net/show/e2add2951990
> [3] https://bpaste.net/show/96a7300a7e73

Version: GnuPG v2


More information about the Users mailing list