[strongSwan] Setting the virtual ip gateway?

Cindy Moore ctmoore at cs.ucsd.edu
Wed Sep 17 23:31:05 CEST 2014


I have two servers on our public network, let's call them nat and vpn.
Vpn, naturally, has the strongswan vpn set up on it, etc. (if it
matters, ubuntu 14.04 is installed on everything).
Let's say the public network I have is 4.3.2.0/24 and nat is 4.3.2.1
and vpn is 4.3.2.2

So ordinarily, for a server that I put on the private network (let's
say it's 1.2.3.0/24, and I give this server 1.2.3.4), I set its
gateway to 1.2.3.250, and nat's /etc/network/interfaces and iptables
are configured to treat 1.2.3.250 as the gateway for the 1.2.3.0/24
subnet.

So now I give vpn a handful of addresses from the private network to
use (say 1.2.3.10-50).
Therefore vpn hands out a virtual ip (say 1.2.3.15) on a successful
connection.  How does vpn also tell the new connection that its
virtual gateway is now 1.2.3.250?

I've gone over the ipsec.conf file and I'm not seeing where I can set
this.  Does the vpn server need to set up some kind of connection to
1.2.3.250 itself?

I haven't set this up:
iptables -t nat -A POSTROUTING -s 10.0.3.0/24 -o eth0 -m policy --dir
out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.3.0/24 -o eth0 -j MASQUERADE

(from https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
)
because server nat already has these in its iptables (in slightly
different format).

As an aside, is it at all possible to specify a set of available
virtual ip addresses as a range rather than in CIDR format? I've
basically been given 1.2.3.102 - 1.2.3.200 which works out to
1.2.3.102/31,1.2.3.104/29,1.2.3.112/28,1.2.3.128/26,1.2.3.192/29  in
CIDR format (facepalm)


More information about the Users mailing list