[strongSwan] building groups in end-to-end scenario

Andreas Steffen andreas.steffen at strongswan.org
Fri Sep 10 14:57:12 CEST 2010 

You must either define a whole mesh for the group

ipsec.conf on host 1
  conn host1-host2
       left=192.168.56.1
       right=192.168.56.2
       auto=route
  conn host1-host3
       left=192.168.56.1
       right=192.168.56.3
       auto=route

ipsec.conf on host 2
  conn host2-host1
       left=192.168.56.2
       right=192.168.56.1
       auto=route
  conn host2-host3
       left=192.168.56.2
       right=192.168.56.3
       auto=route

ipsec.conf on host 3
  conn host3-host1
       left=192.168.56.3
       right=192.168.56.1
       auto=route
  conn host3-host2
       left=192.168.56.3
       right=192.168.56.2
       auto=route

which increases quadratically with the number of hosts
in the group or you can set up a hub-and-spoke topology
with a VPN gateway at the center which will relay the
traffic to the peers:

ipsec.conf on gw
  conn gw
       left=192.168.56.254
       leftsubnet=192.168.56.0/24
       right=%any
       auto=add

ipsec.conf on host 1
  conn gw
       left=192.168.56.1
       right=192.168.56.254
       rightsubnet=192.168.56.0/24
       auto=route

ipsec.conf on host 2
  conn gw
       left=192.168.56.2
       right=192.168.56.254
       rightsubnet=192.168.56.0/24
       auto=route

ipsec.conf on host 3
  conn gw
       left=192.168.56.3
       right=192.168.56.254
       rightsubnet=192.168.56.0/24
       auto=route

Regards

Andreas

On 10.09.2010 14:20, johann badinger wrote:
> On 10.09.2010 13:45, Andreas Steffen wrote:
>> Hello Johann,
>>
>> your setup doesn't work because right=%any is for passive responders
>> only. As an initiator you must give the IP address of the peer you
>> want to reach explicitly in the right= statement.
>>
>> Regards
>>
>> Andreas
>>
> Thanks for the quick response.
> Have anyone some ideas how I can realize this group scenario.
> 
> host1=====host2====host3 --> group vpn with any hosts.
> 

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list