On 12/12/2011 04:37 PM, Martin Willi wrote:
I agree, but I saw: http://tools.ietf.org/html/draft-brunner-ikev2-mediation-00Hello Julien,I would like to set up a VPN where the entry point E (strongswan server) and the services server S are not in the same place (LAN).The point is that I want the traffic from clients to S not to be routed through E. In some way, E is used only to authenticate the vpn users and to setup the access between users and S.By definition, an IKE established tunnel always uses the IKE endpoints as outer tunnel addresess. This makes it relatively hard to do tunnel encapsulation on a different IP address, at least with existing implementations. ... What's the reason to have E and S in different places? What about doing the IKE exchange (and tunnel encapsulation) with S, and handle user authentication and policy decisions by a backend server, via RADIUS for example? The problem is that S is behind a restrictive firewall (no incoming connection) but on a good network and E is not filtered but on a poor network (home ADSL). Thus, I want E to be the "entry" for the vpn, but, for performance, I want direct transfer between vpn clients and S. Finally, I am interested if there is a strongswan specific solution (because as you suggest ikev2 mediation is probably strongswan specific): strongswan clients have mediation, others go through E (a good motivation for them to move on strongswam :P). Julien. -- Julien Allali Associate Professor IPB/LaBRI - https://www.labri.fr/~allali/ |
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
