[strongSwan] strongSwan client as a transparent gateway

Rayson Zhu vfreex at gmail.com
Tue Mar 21 08:08:51 CET 2017 

Suppose your local LAN has IP subnet 192.168.1.0/24, and you want to
forward all traffic to remote server.

1. you need to bypass traffic to local lan:

- in client config:
conn bypass-non-routable-range
  leftsubnet=0.0.0.0/0
  rightsubnet=192.168.1.0/24,224.0.0.0/4,240.0.0.0/4,0.0.0.0/8,127.0.0.0/8
  auto=route

- disable farp plugin if installed:
edit strongswan.d/charon/farp.conf, change 'load=on' to 'load=off'

2. allow local gateway to forward internet traffic to remote:

- in client config:
conn ikev2-138.100.100.100
  leftsubnet=192.168.1.0/24


- in server config:
conn %default
  rightsubnet=192.168.1.0/24


On Tue, Mar 21, 2017 at 10:16 AM, sendmaildevnull
<sendmaildevnull at gmail.com> wrote:
> Hi,
>
> I'm looking for some help setting up a strongSwan client in my local network
> as a gateway for other devices to send their traffic through and have it
> encrypted to server in the cloud. The end goal would look something like
> this: https://imgur.com/a/Ep8W0. Right now I only have the client to server
> connection working, and I'm wondering if anyone has any pointers on how to
> make this client act as a transparent gateway. In the past with OpenVPN I
> was able to enable IP forwarding and setup an iptables MASQUERADE rule that
> exited out the tun interface, which obviously won't work here as there are
> no tun interfaces. Any pointers would be super appreciated!
>
> Client config
> -----------------------------------------
> conn ikev2-138.100.100.100
>     fragmentation=yes
>     rekey=no
>     dpdaction=clear
>     keyexchange=ikev2
>     compress=no
>     dpddelay=35s
>
>     ike=aes128gcm16-sha2_256-prfsha256-ecp256
>     esp=aes128gcm16-sha2_256-ecp256
>
>     right=138.100.100.100
>     rightid=138.100.100.100
>     rightsubnets=0.0.0.0/0
>     rightauth=pubkey
>
>     leftsourceip=%config
>     leftauth=pubkey
>     leftcert=138.100.100.100_user.crt
>     leftfirewall=yes
>     left=%defaultroute
>     auto=start
> -----------------------------------------
>
> Server config
> -----------------------------------------
> config setup
>     uniqueids = never # allow multiple connections per user
>     charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
>
> conn %default
>     fragmentation=yes
>     rekey=no
>     dpdaction=clear
>     keyexchange=ikev2
>     compress=yes
>     dpddelay=35s
>
>     ike=aes128gcm16-sha2_256-prfsha256-ecp256!
>     esp=aes128gcm16-sha2_256-ecp256!
>
>     left=%any
>     leftauth=pubkey
>     leftid=138.100.100.100
>     leftcert=138.100.100.100.crt
>     leftsendcert=always
>     leftsubnet=0.0.0.0/0,::/0
>
>     right=%any
>     rightauth=pubkey
>     rightsourceip=10.19.48.0/24,fd9d:bc11:4020::/48
>     rightdns=172.16.0.1
>
> conn ikev2-pubkey
>     auto=add
> -----------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list