CLI StrongSwan IPSec to External VPN servers


I’ve been working on this since my target setup is a personal VPN on my desktop endpoint that goes through an IPSec tunnel established from my IPFire for double encryption and see how it fairs against Chinese hacking bastards persistently targeting me.

I’ve referred to the following articles:
and finally resorting to this

So far, I’ve had major success in making all connections coming from the IPFire instance to use the tunnel BUT no matter what I do, I can’t see to make all traffic coming from green0 to go through the tunnel even after implementing a VTI interface to help along.

Things I’ve tried:

  1. Adding a custom route to routing table 220 to allow communication between IPFire and green0 cause I found out that connecting the IPSec tunnel where charon.conf has install_routes and install_virtual_ip set to “yes” were green0 to become unreachable cause it’s forcing all traffic to go through the tunnel.

The above solution did restore communication to green0 but all packets coming from green0 were still going through normal internet and not through the tunnel.

  1. Using the VTI interface script from VTI Tunnel Interface with strongSwan :: Endre Szabo to create a dedicated vti interface that appears in ifconfig for a potentially easier life in routing.

I created a default route that utilizes the VTI interface to forward all traffic:
route add -net netmask gw metric 0 dev vti3

Yet again, it worked for the IPFire itself but fails to forward green0 traffic through the tunnel.

I’m utterly confused how to make this work, may I ask for some help/guidance on how I could solve this?

NOTE: Yes, I understand the security implications of this setup as mentioned in Feature Request: Easy Way to Add VPN Service - #2 by pmueller and I am responsible for the potential consequences that could arise out of this setup.

To those wondering why am I not just using the web interface for this:
I believe Apache web server to be a major security risk so I always have it stopped/disabled in my IPFire instance and I use a serial console to directly manage my IPFire instance.


I would recommend setting up the VTI connection using the web user interface. There are some scripts that do a little bit more than just setting up the interface.

However, I do not see any reason why this should not work.

You will quite likely need a static route to your VPN peer which takes precedence over the default route so that you insert it, the tunnel won’t try to send its own traffic through itself.

1 Like

Sorry for late reps, sounds good! I guess at this point, it couldn’t hurt to actually just get myself to setup the VTI connection using the web user interface and have it handle the rest of the complicated setup necessary.

I’ll try to work on this once I have spare time for experiments again and mark your reply as the solution as soon as I achieve success.

Many thanks and cheers!

1 Like