[strongSwan] client to site but as a gateway(nat)?

peljasz peljasz at yahoo.co.uk
Fri Jul 21 07:30:06 CEST 2017

On 20/07/17 23:37, Karl Denninger wrote:
> On 7/20/2017 17:30, peljasz wrote:
>> On 20/07/17 22:57, Karl Denninger wrote:
>>> On 7/20/2017 16:46, peljasz wrote:
>>>> On 20/07/17 21:57, Karl Denninger wrote:
>>>>> That can be made to work provided you do not need 
>>>>> inbound connections to things on the client side.
>>>> exactly like that.
>>>> How to even phrase a query to find docs/howtos on such 
>>>> a setup?
>>>> Or, tips on setup/config much appreciated - I have a 
>>>> working client to site setup - is it only strongswan 
>>>> or/and routing/nating outside of swan?
>>>> many thanks.
>>>> L
>>> There's really nothing specific related to StrongSwan 
>>> there other than not mapping your own client NAT 
>>> implementation on top of whatever address/subnet the VPN 
>>> gateway gives you.
>>> Essentially your client is responsible for NATting the 
>>> client-attached traffic which is then sent to the VPN 
>>> gateway, which (presumably) will NAT it again.  It 
>>> should work with few potential issues (the big one being 
>>> if you have a UDP client of some sort and the 
>>> intermediate NAT times out on stateful tables you'll 
>>> lose some replies, but this usually isn't much of a 
>>> factor.)
>>> This is, in essence, what running a Hotspot that is also 
>>> a StrongSwan client back to a server winds up being -- 
>>> the VPN server is NATing traffic to the Internet, and 
>>> the Hotspot is NATing traffic for its attached clients.  
>>> It should all "just work" in most cases.
>> well, if I understand it correctly then my setup is a bit 
>> different, but I thought it still would be commonly 
>> desired that there would be many and easy to find howtos.
>> Namely: a linux box with a public IP(not static per say 
>> but almost the same IP all the time) and that box is the 
>> default gateway/nat for local/home lan. Now that very box 
>> calls out(as a client) to a VPN's site(server I have no 
>> control over).
>> What is working as of now:
>> - linux box vpns out with rightsubnet= but 
>> the rest(from itself and home lan go out via linux 
>> nat(via my ISP)
>> - from another node on local/home lan I can ping linux's 
>> vnp client IP(given by the swan server), on the node a 
>> added route to via's 
>> local lan IP which is the default gateway for local/home 
>> lan to the Internet via ISP)
>> ! but I cannot reach anything else on from 
>> that same node that can ping client IP)
>> what I want:
>> a node(s) -> => the 
>> whole Internet (except to should go via 
>> linux's vpn client)
>> something I am missing.
> I'm not understanding the network topology in question... 
> is the VPN server on a separate connection from your 
> general Internet ISP or is it a site on the Internet (and 
> thus transports down that connection)?
a node(s) -> => traffic 
to the whole Internet (including vpn connection) and traffic 
to should go via linux's vpn client/connection)

> I suspect the issue is either (1) a routing one or (2) the 
> packets you're tossing down the VPN connection have not 
> been NAT'd before they go down the VPN and thus from the 
> perspective of the server end they're *not* coming from 
> your attached host (which it knows how to reach) but 
> rather from a random address, which is private 
> and unrouteable (and thus getting tossed on the floor on 
> the other end.)
> -- 
> Karl Denninger
> karl at denninger.net <mailto:karl at denninger.net>
> /The Market Ticker/
> /[S/MIME encrypted email preferred]/

More information about the Users mailing list