Hi. I am new to strongSwan, and after examining the documentation, I do not think it supports my particular application. I would appreciate if someone could help explain if I missed something, or if there is a mechanism to do what I need. Thanks.
I have a setup like this: Box A (client) - Box B (VPN tunnel service with NAT-T) - Router (dynamic NAT) - Internet - VPN Concentrator - Home Network Box A is completely unaware of the VPN service, knowing only that Box B is its default gateway. Box A uses a single, static private IP address. Box B provides a tunneling service for Box A to the VPN Concentrator. Everything from Box A is tunneled to the VPNC. (So far, this sounds a bit like site-to-site with leftsubnet=<something>.) But Box A needs to appear as if it is on the home network (like a remote access application). So as part of IKEv2 negotiation, Box B also needs to obtain a remote IP address from the VPNC, similar to using leftsourceip = %config. Box B must then use this remote IP address in its IP masquerading function. In other words, every packet from Box A that enters Box B must first have its source address modified to use the remote IP address obtained from the VPNC, then the packet is pushed into the tunnel. The reverse occurs for packets from the VPNC, which will be addressed to the remote IP address - packets destined for the remote IP address must end up going through the IP masquerade function to set the destination address back to the statically-known private IP address of Box A. (Box B knows the static IP address of Box A.) I'm wondering if strongSwan has the ability to share the remote IP address obtained from the VPNC with an IP masquerading function? I also noticed at http://wiki.strongswan.org/wiki/1/VirtualIp that strongSwan does not support setting both leftsourceip = %config and setting leftsubnet to something non-empty, and I can see why given more typical applications. But it seemed like I needed leftsubnet non-empty to get the SA behavior I wanted. Can I set this up manually? Are there any other gotchas I should look out for? Thank you to everyone for your help. Alan _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
