While this change allows clients behind a NAT to connect to a VPN
gateway without having to assign virtual IPs, it also allows clients
to divert traffic to basically any IP away from the gateway (they can also
create multiple CHILD_SAs with different IPs).
For such setups it might be better (i.e. there is a bit more control
over it) to set the remote TS to e.g. 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
to allow clients from private subnets to connect if they are behind a NAT.
But generally assigning virtual IPs works way better, in particular, if
there are clients behind different NATs that use the same subnet/IP.
projects / thirdparty / strongswan.git / commit
