[strongSwan] client to site but as a gateway(nat)?

Karl Denninger karl at denninger.net
Thu Jul 20 23:57:41 CEST 2017

On 7/20/2017 16:46, peljasz wrote:
> On 20/07/17 21:57, Karl Denninger wrote:
>> That can be made to work provided you do not need inbound connections
>> to things on the client side.
> exactly like that.
> How to even phrase a query to find docs/howtos on such a setup?
> Or, tips on setup/config much appreciated - I have a working client to
> site setup - is it only strongswan or/and routing/nating outside of swan?
> many thanks.
> L

There's really nothing specific related to StrongSwan there other than
not mapping your own client NAT implementation on top of whatever
address/subnet the VPN gateway gives you.

Essentially your client is responsible for NATting the client-attached
traffic which is then sent to the VPN gateway, which (presumably) will
NAT it again.  It should work with few potential issues (the big one
being if you have a UDP client of some sort and the intermediate NAT
times out on stateful tables you'll lose some replies, but this usually
isn't much of a factor.)

This is, in essence, what running a Hotspot that is also a StrongSwan
client back to a server winds up being -- the VPN server is NATing
traffic to the Internet, and the Hotspot is NATing traffic for its
attached clients.  It should all "just work" in most cases.

Since you said you have no control over the server I'm assuming you
can't have the server side hand you a subnet which you can then hand out
hosts from and are forced to NAT into a single dynamically-assigned IP
address that the gateway hands you (and which is likely to change with
each connection.)

>> On 7/20/2017 15:50, peljasz wrote:
>>> hi fellas
>>> a novice here, whois reading up but was hoping someone knowsalready
>>> and can shed some light on..
>>> how to, if possible at all, have a client that calls out to a
>>> server(site) and that client would route(nat) other nodes on it's
>>> local lan to the site(server)?
>>> I'd only hope that if possible that this is all down to the "client"
>>> as over the server I have nocontrolwhatsoever.
>>> many thanks
>>> L.
>> -- 
>> Karl Denninger
>> karl at denninger.net <mailto:karl at denninger.net>
>> /The Market Ticker/
>> /[S/MIME encrypted email preferred]/

Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170720/5e035059/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2993 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170720/5e035059/attachment.bin>

More information about the Users mailing list