From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 12 Apr 2018 13:28:10 +0000 (+0200)
Subject: WIP: Allows traffic diversion
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Fuse-dynamic-address-from-proposal;p=thirdparty%2Fstrongswan.git

WIP: Allows traffic diversion

While this change allows clients behind a NAT to connect to a VPN
gateway without having to assign virtual IPs, it also allows clients
to divert traffic to basically any IP away from the gateway (they can also
create multiple CHILD_SAs with different IPs).

For such setups it might be better (i.e. there is a bit more control
over it) to set the remote TS to e.g. 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
to allow clients from private subnets to connect if they are behind a NAT.
But generally assigning virtual IPs works way better, in particular, if
there are clients behind different NATs that use the same subnet/IP.
---