[strongSwan] Use tunnel to ocassionally proxy internet traffic

Tobias lists at linux-guru.com
Wed Apr 22 12:00:43 CEST 2020

Hi list,

I have set up a tunnel using ikev2 and PSK to connect my home network (via a Draytek router/modem) and my internet server (public IP ranges, acting as web-/mail-/network server).
First goal is, to access the respective networks behind the gateways which works so far.
I'd further like to use the tunnel to proxy (internet) traffic from certain hosts in my home network via the responder to the internet.
So far, I did manage to route all (!) traffic from the home network via the responder to the internet, which is not the intended solution.
Side note: The Draytek router on the edge of the home network is able to set distinct routes based on source or destination IP(s) via certain interfaces (e.g. the VPN interface) and even can set definable gateways for this.
I could nail down the tunnel traffic by adding just the as remote/right network on the Draytek config, but then I am not able to process the occasional traffic to the internet (if routing from a certain source via the tunnel is enabled on the Draytek) without a lot of manual modifications (iptables, ip xfrm policies).

The current IP schema looks as follows: Home network Draytek router VPN IP on the home network (Draytek router) Test VM server network IPSec server IP (left on the server) private network IP on the server

Internet/WAN connect from the home network is currently set up via LTE ( public IP / DHCP IP from LTE provider)

ipsec.conf on the responder (server) side:

config setup
        #charondebug="ike 3, knl 3, cfg 3"

conn %default
        ike=aes256-sha2_256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 is aes256, sha-1, modp1024; iOS is aes256, sha-256, modp1024; macOS is 3DES, sha-1, modp1024
        esp=aes256-sha2_256,aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is aes256-sha256, macOS is 3des-shal1

conn draytek-s1

Output of ipsec statusall on the responder:

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64):
  uptime: 12 hours, since Apr 21 23:34:17 2020
  malloc: sbrk 2408448, mmap 0, used 356384, free 2052064
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 73
  loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown
Virtual IP pools (size/online/offline): 1/0/0
Listening IP addresses: 
  draytek-s1:  IKEv2, dpddelay=30s
  draytek-s1:   local:  [server1] uses pre-shared key authentication
  draytek-s1:   remote: [draytek] uses pre-shared key authentication
  draytek-s1:   child: === TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
  draytek-s1[64]: ESTABLISHED 6 minutes ago,[server1]...[draytek]
  draytek-s1[64]: IKEv2 SPIs: 21a9d3bfe1b1f30a_i adaee24e252e33a2_r*, pre-shared key reauthentication in 7 hours
  draytek-s1[64]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  draytek-s1{53}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c000d8f9_i 2345e353_o
  draytek-s1{53}:  AES_CBC_256/HMAC_SHA2_256_128, 6964 bytes_i, 0 bytes_o, rekeying in 36 minutes
  draytek-s1{53}: ===

Config on the initiator side (currently web UI only)

I am not sure, if embedded graphics will be displayed on the list, so here comes the abstraction in text:
Remote Gateway IP:
Remote Network IP:
Remote Network Mask: / 24
Local Network IP:
Local Network Mask: / 24
RIP Direction: Disable
>From first subnet to remot network, you have to do: Route (NAT would be the other choice)
IPsec VPN with the Same Subnets : No ticked
Change default route to this VPN tunnel ( Only active if one single WAN is up ): Not ticked

On the responder side, I do not rely on the private network Actually I only do need to connect certain services from the initiator on the responder through the VPN. Which means needs to be reachable from or its private networks at least.

Is there any advice/help on how to config the desired setup (to be able to occasionally route/proxy certain internet traffic from the home network through the responder)?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200422/fc496af0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 741-5EA01600-31-49AA2B80
Type: image/png
Size: 46338 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200422/fc496af0/attachment-0001.png>

More information about the Users mailing list