[strongSwan] L2TP/IPSec Passthrough - Interfaces?

[Noel Kuntze]

Hello Tom,

On 02.06.2017 21:12, Tom Rymes wrote:
> We are running StrongSWAN as part of an IPFire router distribution. Strongswan handles multiple tunnels via the WAN interface, and that interface has multiple public IPs associated with it.
>
> We are also trying to pass L2TP/IPSec through the router to a Windows RRAS server for the purpose of establishing roadwarrior-type VPN connections to one of the other IP Addresses.
>
> Currently, this is not working, and it seems that it is because StrongSwan is trying to handle the IPSec traffic, instead of passing it through to the windows server.

If you want to port forward traffic, you need to DNAT it to another host. If you don't DNAT it, the traffic will be handled locally, so charon does the right thing and so does the kernel.
This is a PEBKAC problem. Unless you DNAT traffic that is destined to your machine to other hosts, traffic will be handled locally.

> After digging through the docs a little, it looks to me that we need to specify the "charon.interfaces_use" directive in the configuration to limit StrongSwan to only one of the configured IP Addresses.

No, that's wrong. That will only make charon drop the packets and then they're gone.

Kind regards

Noel
>
> Does that make sense?
>
> Tom


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170606/229d9df9/attachment.sig>