[strongSwan] is this scenario supported by strongswan?

Martin Willi martin at strongswan.org
Tue Oct 14 09:40:46 CEST 2014 

Hi,

> i want to know if strongswan running on a linux server can support this
> clients.
> 
> - android phones using native client, and configured as ipsec rsa xauth
> (x509+Xauth), all traffic should be routed over the vpn
> 
> - mikrokit router, configured as ipsec rsa, behind a dynamic ip but not
> nat (adsl), not all traffic should be routed over vpn.
> router will nat is clients into the vpn
> 
> - remote workstation running linux behind nat, not all traffic should be
> routed over vpn, but it should allow connections from other vpn client
> 
> - laptop running linux, most of the time behind nat, it may or may not
> need to route all the traffic over vpn, it needs to be able to connect
> to the remote workstation over the vpn

That should be doable, yes. Obviously you'll need multiple connection
definitions in your ipsec.conf, most likely one for each of these
clients.

The tricky part is probably to assign the correct connection definition
to each connecting client. I assume the first two use IKEv1? Then you
can distinguish them by the authentication method. For the latter two
I'd recommend to use IKEv2 (and strongSwan clients?), but not sure what
your "other vpn client" supports. If required you can used different
leftids on your responder with IKEv2, and then select the correct
configuration based on the proposed responder identity. Alternatively
you may select the configuration based on the client identity or its IP
address; this highly depends on your client capabilities.

Whether to "route all traffic over VPN" depends on your leftsubnet
configuration; you may also dynamically allow clients to propose what to
tunnel by using traffic selector narrowing.

> i want to know if strongswan can do all this for me running on a single
> server, on a single instance with a single pool of ip

Sharing an in-memory virtual IP pool is straightforward since 5.0.1;
just define the same rightsourceip pool subnet to share it across
multiple connections.

Regards
Martin

More information about the Users mailing list