strongSwan

Hi folks:

I'm new to strongswan, so please bear with me. I've signed up for a low end VPS (running Debian Wheezy) at oceandigital.com that I want to use as an SMTP relay, both to my primary and backup mail servers at different sites. The ISP at my backup server site has recently blocked port 25, and I think the ISP at my primary site may do so in the not too distant future. My goal is to establish two IPSEC VPN connections from the oceandigital droplet (that's what they call their VPSs) to my Zyxel routers at the primary and backup email server sites. Through those VPNs I want to route incoming and outgoing SMTP traffic such that I can get around the port 25 restriction and have all port 25 traffic entering and exiting the internet from the VPS server.

The VPS server only has a single NIC with an internet IP address assigned to it, so there is no NAT involved anywhere yet. My question concerns how to create the non-routable IP addresses in the private range to be used to connect across the VPN to each of my email servers (i.e. the email servers would connect to the VPS over the VPN via this private address). In all of the strongswan examples involving site to site eth1 is always assigned the private IP address. As I have no eth1 I guess I have two choices; I could create eth0:1 and assign an IP alias address in the private range to it and use that, or I could add an IP alias to the loopback adapter, thus creating lo:1 and assign it an address in the private range. Off hand I'd say if there were no special gotchas about strongswan using the loopback adapter I'd create lo:1 because then the private IP addresses wouldn't be accessible from the physical NIC (yes, I know there shouldn't be anybody on the physical interface using a private address if it's assigned a public address).

I wasn't certain if one could use the loopback adapter that way, and I also wasn't sure if strongswan had some way to create a virtual network interface on it's own to be the container for the private IP address. Sometimes I see references to TUN and TAP adapters similar to what OpenVPN uses, but there was never anything specific about how to go about creating those if they can be used.

Suggestions welcome.