[strongSwan] Question on IKEv2 + farp example

Dr. Rolf Jansen rj at obsigna.com
Mon Nov 3 22:12:18 CET 2014

Am 12.10.2014 um 16:02 schrieb Noel Kuntze <noel at familie-kuntze.de>:

> I'm not sure if it works, because farp sends ARP messages for the whole pool,
> not just the currently addresses that are given to peers using MODE_CONFIG or QUICK_MODE.
> NAT shouldn't be a problem, if you only apply it to packets that aren't handled by ipsec and only going to the WAN.
> I think it should work alright from the peer's viewpoint, if the firewall on the gateway is set up correctly.
> Am 12.10.2014 um 16:34 schrieb Dr. Rolf Jansen:
>> I am referring to the example setup given at http://www.strongswan.org/uml/testresults/ikev2/farp/index.html.
>> My question is, whether carol and dave do have access to the web server  winnetou from within the internal network by the way of a NAT'ing moon?

I got it now. In said example carol and dave can connect to winnetou via VPN to moon by the way of moon's NAT. For me the obstacle was, that the IP of winnetou must be part of leftsubnet in moon's ipsec.conf.

My actual objective was to set up at my home-server aVPN gateway into the internet, so e.g. in public wireless environments I can effectively prevent MITM sneaking into my traffic. For this to work, leftsubnet must be set to the whole internet, i.e.

FARP is not needed for this. FARP would be needed to access other clients in the local network.

Best regards


More information about the Users mailing list