[strongSwan] Setting the virtual ip gateway?

Cindy Moore ctmoore at cs.ucsd.edu
Wed Sep 17 23:31:05 CEST 2014

I have two servers on our public network, let's call them nat and vpn.
Vpn, naturally, has the strongswan vpn set up on it, etc. (if it
matters, ubuntu 14.04 is installed on everything).
Let's say the public network I have is and nat is
and vpn is

So ordinarily, for a server that I put on the private network (let's
say it's, and I give this server, I set its
gateway to, and nat's /etc/network/interfaces and iptables
are configured to treat as the gateway for the

So now I give vpn a handful of addresses from the private network to
use (say
Therefore vpn hands out a virtual ip (say on a successful
connection.  How does vpn also tell the new connection that its
virtual gateway is now

I've gone over the ipsec.conf file and I'm not seeing where I can set
this.  Does the vpn server need to set up some kind of connection to itself?

I haven't set this up:
iptables -t nat -A POSTROUTING -s -o eth0 -m policy --dir
out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

(from https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
because server nat already has these in its iptables (in slightly
different format).

As an aside, is it at all possible to specify a set of available
virtual ip addresses as a range rather than in CIDR format? I've
basically been given - which works out to,,,,  in
CIDR format (facepalm)

More information about the Users mailing list