1

I have a Linux box that establishes a StrongSwan VPN connection. As I understand it, this creates a virtual IP address where packets are routed to so they get into the tunnel. I have other Linux boxes on the same subnet. I would like packets that originate from other machines on the network to be routed to the VPN box and get into the tunnel. I can get packets to the VPN box, but how do I actually get the packets into the tunnel via the virtual IP address?

Is this possible using the routing table on the VPN box to direct incoming packets into the tunnel or can I use iptables to do this routing? Any help in directing me to the right tool or concept would be appreciated, thanks.

Stephen Burke
  • 111
  • 3
  • This is messy, and arguably not a good way of doing things. I would argue that you put a second Network card in the Linux VPN box and make it into a router. Ignoring this, you need to set the Linux VPN machine as the default gateway for the other systems and configure it to forward traffic. You will likely also need to enable masquerading (ie NAT) for outgoing/forwarded traffic on the VPN box. – davidgo Feb 04 '22 at 20:58
  • An OpenVPN or Wireguard setup would be more efficient, both in what's trying to be done as well as throughput – JW0914 Feb 04 '22 at 21:33
  • After having a loosely related situation FUBAR at work recently, I _strongly_ recommend doing away with IPsec. If you cannot, use a virtual tunnel interface. The traffic selector stuff will just result in trouble with fragmentation and whatnot. – Daniel B Feb 04 '22 at 22:29
  • You can NAT the traffic to the virtual IP you received from the VPN server. – ecdsa Feb 07 '22 at 08:58

0 Answers0