[strongSwan] How to properly set up the "hide IP" VPN function?

strongswan_user at mail.ru strongswan_user at mail.ru
Wed Jul 26 10:15:43 CEST 2017


Minor update:

The "magic" rules on the server Sa should include the following before the DNAT rule:
iptables -t nat -A PREROUTING -s $CLIENT_PUBLIC_IP -d $SERV_PRIVATE_IP -j ACCEPT
iptables -t nat -A PREROUTING -s $CLIENT_PRIVATE_IP -d $SERV_PRIVATE_IP -j ACCEPT
(I do have this, just omitted in the OP for simplicity)

The client address on the diagram should read .1.23 (I have several clients and forgot to update in the OP..)

Again, "it basically works". No problem connecting, etc. I can see ipsec flying thru I1 (with tcpdump). So I don't include any logs - they look good.

Am I right that this thing is related to (a rather terrifying) topic of fragmentation?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170726/1acd84e7/attachment.html>


More information about the Users mailing list