Hello Julien, > I would like to set up a VPN where the entry point E (strongswan > server) and the services server S are not in the same place (LAN). > > The point is that I want the traffic from clients to S not to be > routed through E. > > In some way, E is used only to authenticate the vpn users and to setup > the access between users and S.
By definition, an IKE established tunnel always uses the IKE endpoints as outer tunnel addresess. This makes it relatively hard to do tunnel encapsulation on a different IP address, at least with existing implementations. What's the reason to have E and S in different places? What about doing the IKE exchange (and tunnel encapsulation) with S, and handle user authentication and policy decisions by a backend server, via RADIUS for example? Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
