[strongSwan] multi ptp setup question.

Gary Smith gary.smith at holdstead.com
Tue Feb 22 00:20:59 CET 2011

First, I'm a total newb to strongswan. I have been using openswan for some years but after a recent upgrade from centos to opensuse, we have found that openswan isn't really an option for us (no packages, failed compiles).  So I figured I'd give this a shot.

We have (5) locations right now. We have static IP's at (3 -  a, b, and c) of them which are the primary network, and two sets of backup servers. These guys need to talk in any direction a<->b, b<->c, and c<->a. The other (2 d, and e) locations (two is really a dynamic number here), of one them needs to talk to all (3) of the remote networks d<->a, d<->b, and d<->c. The final location e (which can be multiple road warriors) just needs e<->a.

My confusion comes in with how strongswan used ssl keys to handle this. Openswan was a little simpler in that we just need to exchange the primary key on the destination server. From my undertadning, I need to issue an ssl key for each destination point that will connect to a particular server. So following my understanding, do I need to create a CA on each server a, b and c, and issue those keys out to a-e?

My thought was to setup a single primary VPN (say a, since it's the primary network) and have it issue out all of the keys, but I don't know how this works with things like revocation on the remote servers that need check client access as well.

What's my best strategy for this? 

Once I tackle this part of the problem, Windows clients will be the second part. Server d in the scenario above is a home office that needs to route in both directions, but e (to the nth) will be random Windows 7 workstations. Now I've looked at the wiki and the configuration for the workstations e<->a looks pretty simple if server a is the CA. It's just the rest of it that looks complicated.

Can someone help step me through this?


Gary Smith

More information about the Users mailing list