<html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style></head><body dir="ltr"><div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Managed to solve this using the hub-spoke model. <span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">If anyone would happen to stumble upon this thread in need of further help, I found the following strongSwan
article was useful: </span></div><div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><a href="https://wiki.strongswan.org/projects/strongswan/wiki/SubnetsBehindMoreThanTwoGateways" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">https://wiki.strongswan.org/projects/strongswan/wiki/SubnetsBehindMoreThanTwoGateways</a><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">.</span></div><div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><br></div><div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
As for using connmark, there are a few test examples (updown script available on github):</div><div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><a href="https://www.strongswan.org/testing/testresults/ikev2/host2host-transport-connmark/index.html" style="margin: 0px; font-family: Calibri, Arial, Helvetica, sans-serif; background-color: rgb(255, 255, 255)">https://www.strongswan.org/testing/testresults/ikev2/host2host-transport-connmark/index.html</a><br></div><div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><a href="https://www.strongswan.org/testing/testresults/ikev2/nat-rw-mark/index.html">https://www.strongswan.org/testing/testresults/ikev2/nat-rw-mark/index.html</a></div><div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><br></div><div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Regards</div><div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Marwan</div><div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><br></div><div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
</div><hr style="display:inline-block;width:98%" tabindex="-1"><div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Users <users-bounces@lists.strongswan.org> on behalf of Marwan Khalili <marwan.khalili@edgeguide.com><br><b>Sent:</b> Friday, April 26, 2019 11:11<br><b>To:</b> Noel Kuntze; Michael Schwartzkopff; users@lists.strongswan.org<br><b>Subject:</b> Re: [strongSwan] Need advice on how to connect multiple sites and hosts to a VPN</font><div> </div></div><style type="text/css" style="display:none"><!--
p
{margin-top:0;
margin-bottom:0}
--></style><div dir="ltr"><div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Helvetica,sans-serif"><p style="margin-top:0; margin-bottom:0">Hello,</p><p style="margin-top:0; margin-bottom:0"><br></p><p style="margin-top:0; margin-bottom:0"><span style="font-size:12pt">Thank you for the advice! I am trying to puzzle out a few things:</span></p><p style="margin-top:0; margin-bottom:0"><br></p><p style="margin-top:0; margin-bottom:0"><span style="font-size:12pt">For a fully meshed network, is it possible to connect two hosts without a public IP <span style="font-family:Calibri,Helvetica,sans-serif,Helvetica,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols; font-size:16px">(e.g.
home PCs)?</span> Or are we restricted to a partial mesh in that case?</span></p><p style="margin-top:0; margin-bottom:0"><span style="font-size:12pt"><br></span></p><p style="margin-top:0; margin-bottom:0">For the hub-spoke model, I'm thinking that we either have one of the gateways act as a hub for the network or we maintain separate servers that will solely be used as hubs.</p><p style="margin-top:0; margin-bottom:0"><span style="font-size:12pt">However, if we maintain separate hub servers we will not be able to setup a distinct server for each intranet VPN as we have several customers and some of our customers wish to have multiple
VPNs.</span><br></p><p style="margin-top:0; margin-bottom:0"><span style="font-size:12pt">Is it possible to configure a hub to be used for several intranet VPNs in strongSwan without worrying about IP collisions? (T</span><span style="font-size:12pt">hink two customers with separate
VPNs, but using the same server as a hub). I have read about the connmark plugin but I am not sure if/how it is meant to be used for cases like this.</span></p><p style="margin-top:0; margin-bottom:0"><br></p><p style="margin-top:0; margin-bottom:0">Regards</p><p style="margin-top:0; margin-bottom:0"><br></p><p style="margin-top:0; margin-bottom:0">Marwan</p><p style="margin-top:0; margin-bottom:0"><br></p><br><br><div style="color:rgb(0,0,0)"><hr tabindex="-1" style="display:inline-block; width:98%"><div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting><br><b>Sent:</b> Thursday, April 25, 2019 16:53<br><b>To:</b> Marwan Khalili; Michael Schwartzkopff; users@lists.strongswan.org<br><b>Subject:</b> Re: [strongSwan] Need advice on how to connect multiple sites and hosts to a VPN</font><div> </div></div><div class="x_BodyFragment"><font size="2"><span style="font-size:11pt"><div class="x_PlainText">Hello,<br><br>
That's perfectly feasible with strongSwan. Details would need to be discussed in particular. E.g. regarding any needed ACLs.<br>
It's possible to build a dynamic fully meshed network using an OpenNHRP compatible patched version of strongSwan. It requires some extra care though,<br>
because it's evidently not maintained by upstream, but by Timo Teras of Alpine Linux.<br><br>
The currently possible solution is either a manually configured mesh or a hub-spoke model, like Michael mentioned.<br>
Meaning, there's a central site and all other sites connect to that central site to communicate with the others.<br>
That evidently severely limits the available bandwidth and introduces a SPOF (Single Point Of Failure).<br><br>
Kind regards<br><br>
Noel<br><br>
Am 25.04.19 um 16:26 schrieb Marwan Khalili:<br>
> > How many sites / offices do you want to connect?<br>
><br>
> It would be a limited amount of sites, we can assume that it will be between 2 to 10 sites.<br>
><br>
> > Do you want to be able to communicate any-to-any? Or only from anyone to a datacenter?<br>
><br>
> We wish to communicate any-to-any.<br>
><br>
> > What architecture do you like to implement? A hub/spoke system would be the easiest.<br>
><br>
> We were thinking of having a server act as an intermediary which the sites/hosts connect to. Perhaps this is what you meant by hub/spoke system?<br>
><br>
> However, the architecture is not set in stone and we are open to any solution.<br>
><br>
><br>
> Med vänlig hälsning/Regards<br>
><br>
> Marwan Khalili<br>
> Cell +46 704784722<br>
> marwan.khalili@edgeguide.com<br>
><br>
> EdgeGuide AB<br>
> S:t Eriksgatan 26, SE-112 39 Stockholm, Sweden<br>
> phone +46 84411690, fax +46 87204190 <br>
> edgeguide.com <<a href="http://www.edgeguide.com/" id="LPlnk28034" class="x_OWAAutoLink">http://www.edgeguide.com/</a>><div id="LPBorder_GT_15562659933250.5308847710102689" style="margin-bottom:20px; overflow:auto; width:100%; text-indent:0px"><table id="LPContainer_15562659933210.20303836009095866" role="presentation" cellspacing="0" style="width:90%; background-color:rgb(255,255,255); overflow:auto; padding-top:20px; padding-bottom:20px; margin-top:20px; border-top:1px dotted rgb(200,200,200); border-bottom:1px dotted rgb(200,200,200)"><tbody><tr valign="top" style="border-spacing:0px"><td id="x_TextCell_15562659933230.5915556682592769" colspan="2" style="vertical-align:top; padding:0px; display:table-cell"><div id="LPTitle_15562659933230.2739458441908804" style="top:0px; color:rgb(0,120,215); font-weight:400; font-size:21px; font-family:wf_segoe-ui_light,"Segoe UI Light","Segoe WP Light","Segoe UI","Segoe WP",Tahoma,Arial,sans-serif; line-height:21px"><a id="LPUrlAnchor_15562659933240.5248723467670229" href="http://www.edgeguide.com/" target="_blank" style="text-decoration:none">EdgeGuide - Digital affärsutveckling</a></div><div id="LPMetadata_15562659933240.3191704236853574" style="margin:10px 0px 16px; color:rgb(102,102,102); font-weight:400; font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif; font-size:14px; line-height:14px">
www.edgeguide.com</div><div id="LPDescription_15562659933250.9176342771412465" style="display:block; color:rgb(102,102,102); font-weight:400; font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif; font-size:14px; line-height:20px; max-height:100px; overflow:hidden">
Lång erfarenhet av digitalisering i en mängd olika branscher parat med att vi är full-stack utvecklare. Med digital affärsutveckling menar vi på EdgeGuide att enväldefinierad metod för att för att identifiera och omsätta viktiga affärsscenarier i tekniska lösningar.
Samtidigt överför vi kunskap om Office 365 som våra kunder kan ta vidare på egen hand.</div></td></tr></tbody></table></div><br><br>
><br><br></div></span></font></div></div></div></div></body></html>