[strongSwan] strongSwan client as a transparent gateway

sendmaildevnull sendmaildevnull at gmail.com
Tue Mar 21 03:16:06 CET 2017 

Hi,

I'm looking for some help setting up a strongSwan client in my local
network as a gateway for other devices to send their traffic through and
have it encrypted to server in the cloud. The end goal would look something
like this: https://imgur.com/a/Ep8W0. Right now I only have the client to
server connection working, and I'm wondering if anyone has any pointers on
how to make this client act as a transparent gateway. In the past with
OpenVPN I was able to enable IP forwarding and setup an iptables MASQUERADE
rule that exited out the tun interface, which obviously won't work here as
there are no tun interfaces. Any pointers would be super appreciated!

Client config
-----------------------------------------
conn ikev2-138.100.100.100
    fragmentation=yes
    rekey=no
    dpdaction=clear
    keyexchange=ikev2
    compress=no
    dpddelay=35s

    ike=aes128gcm16-sha2_256-prfsha256-ecp256
    esp=aes128gcm16-sha2_256-ecp256

    right=138.100.100.100
    rightid=138.100.100.100
    rightsubnets=0.0.0.0/0
    rightauth=pubkey

    leftsourceip=%config
    leftauth=pubkey
    leftcert=138.100.100.100_user.crt
    leftfirewall=yes
    left=%defaultroute
    auto=start
-----------------------------------------

Server config
-----------------------------------------
config setup
    uniqueids = never # allow multiple connections per user
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
    fragmentation=yes
    rekey=no
    dpdaction=clear
    keyexchange=ikev2
    compress=yes
    dpddelay=35s

    ike=aes128gcm16-sha2_256-prfsha256-ecp256!
    esp=aes128gcm16-sha2_256-ecp256!

    left=%any
    leftauth=pubkey
    leftid=138.100.100.100
    leftcert=138.100.100.100.crt
    leftsendcert=always
    leftsubnet=0.0.0.0/0,::/0

    right=%any
    rightauth=pubkey
    rightsourceip=10.19.48.0/24,fd9d:bc11:4020::/48
    rightdns=172.16.0.1

conn ikev2-pubkey
    auto=add
-----------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170321/d1d5b439/attachment.html>

More information about the Users mailing list