[strongSwan] How to tunnel traffic towards the public IP of the remote gateway?

Tiago Vasconcelos tiago.o.vasconcelos at gmail.com
Thu Apr 16 22:44:41 CEST 2015


Thanks a lot for your prompt response!
Does %dynamic work in net2net? Or only in road-warrior scenarios?

Tiago


On 16-04-2015 17:14, Noel Kuntze wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello,
>
> Yes, use %dynamic in rightsubnet as follows: rightsubnet=foo,bar,%dynamic
>
> If you use use IKEv1, you need to define several SAs for each combination of subnets.
> For IKEv2, the mentioned combination would be just fine.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 16.04.2015 um 18:09 schrieb Tiago Vasconcelos:
>> My understanding is that only traffic towards the subnets declared in:
>>
>>      rightsubnet
>>
>> is tunnelled and, therefore, encrypted. Whereas traffic towards the IP address of the remote gateway declared in:
>>
>>      right
>>
>> is routed outside of the tunnel.
>>
>>
>> Example:
>>
>>      Gateway Sun address (WAN-facing): 120.121.122.123  (fictitious)
>>      Subnet behind Sun eth1 (LAN-facing): 192.168.90.0/24 <http://192.168.90.0/24>
>>
>>      Traffic traffic with a destination IP of 192.168.90.1 is tunnelled.
>>      But SMTP traffic with a destination IP of 120.121.122.123 is not tunnelled.
>>
>> In the Cisco world it's apparently possible to tunnel non-IPsec traffic towards the remote gateway public IP address.
>> Can strongSwan do this as well?
>>
>>
>>
>> Tiago
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVL9/TAAoJEDg5KY9j7GZYj5EP/0Wwm9ynM/gXAl/d83e3P5ok
> hTZYpJdkFCeSf+Ec0aTq8e2fcJ10qjiCbwO8fx/S0tcCIyWEVNOSd0k0CMJ149cZ
> gUHyVmN6/8gkeAwhKv4zwp/aMSEc0KtzOM7QCzdkvU16alDLzujos8Txo1pQ1Cip
> 9+NYK0NujuqfbTowzPf39hYn+BwTY/u6fZHMup/tAddfjo5a647vQh4V8l6PqpcH
> Q7kqP1Q6cALnOIMqjLcEMUKVLFLSSUW/fgycXZPpLklDHQYYKYM8f2OAelPoACab
> 78RsjGDrYp6i3nIcNwSgoqB9SEf8wA4zP577Lb17z4/IWxxtmhzwkUkQ3ViQ35on
> KHm2JHWeGN13es1jt6BvsHQhUujUEooHI9C/tx1Z3l4JrGariraIuofS33+LvTAJ
> xVsMSHlruMAmuYlDte0Ws5OgbuMnTNrmTXPeGc7UYj9OYFXHa62Piy6Y5fPXTskb
> VpD09nutXIOHHl//5LJRnMBXOprtCaCA3ueM6Jx1zKjHZhw2QKxCcU55I8Ptbu0W
> oESthX0wfXU6rkkgllmVApmZtj1eRCQobyRwqcqykcEITOHb8MFw7b0S26gsPfrb
> GX8c21tvcVrSvz4eA10FTVeu7vTYJRwtdqdy58hO+Ct2E9cP3SvWL+ieDa+OxFwL
> 5iOCFK5/sCaU+HOViCUC
> =rh5W
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>




More information about the Users mailing list