[Openswan Users] Setting up an OpenSwan server to be used as a gateway

Muhammad El-Sergani msergani at gmail.com
Tue Sep 4 14:42:13 EDT 2012

Dear list,

I believe sent this email sometime earlier, but wasn't experienced enough
with OpenSwan to state what I need.

Allow me to throw out a short history and what I plan to achieve in the

We all know that some countries block certain websites, services etc... In
my case it's VoIP being disabled in some countries. Now, to bypass this, I
had to have some sort of VPN. I went first with the OpenVPN option and
already have that running without issues. The problem came when my needs
were directed towards mobile devices; iPhone and Android.

OpenVPN on these devices will install and run without issues, but will
require a certain level of technical knowledge from the user. Given I'm
deploying this to a wide number of corporate users, I can't educate them
all and work certificates for evey device. Besides, OpenVPN requires
jailbroken iPhones and rooted Androids (except for 4.0+).

My current option of course, would be OpenSwan; L2TP/IPsec, which is
natively available in every handset utilizing these OS's.

What I'm required to have is the following simple diagram:

(Mobile Users with dynamic IPs) --> (VPN Server somewhere in the world
running L2TP/IPsec) --> (VoIP servers in London, NY and others)

The idea of a VPN server in this case is not a method for users to connect
to office resources (local network), but rather a WAN gateway. Meaning,
users would dial in, and automatically direct their VoIP traffic (only) to
the VPN gateway, and from there to the VoIP servers. Thankfully I've been
able to do this, and things are running without issues.

However (there's always that :) ), I have a few concerns:

- First of all, has anyone done that actually? I'd really love to know how
people usually get this working
- When it comes to iPhone (not very sure about Android, but I think this
isn't the case), there's only one option to activate or deactivate, and
that's "Send all traffic".

Since I come from an OpenVPN background, I'd like to force users to send
traffic to IP X.X.X.X (for example) only through the VPN tunnel, and the
rest through the device's default gateway. Is there someway to configure
OpenSwan to do so? I have any idea to redirect traffic via iptables by
sending back an ICMP message, but not sure of the idea, this'll cause a lot
of network traffic.

I know I've written a lot, but would really appreciate all the help I could
get here :-)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120904/6ea1e721/attachment.html>

More information about the Users mailing list