[strongSwan] Set up strongswan in hub-and-spoke topology

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Wed Apr 1 21:55:29 CEST 2015


Hi

Maybe the attached ipsec.conf files for Hub and spokes (2 spokes) would be
useful. It worked for me nicely in my setup which is also attached

PS: The attachment is a rar file (zipped using winrar)

thanks & regards
rajiv


On Sun, Mar 29, 2015 at 2:43 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Aleksey
>
> You need to define every net-to-net tunnel manually in ipsec.conf or
> swanctl.conf.
> The tunneled subnets for every spoke configuration on the hub would be
>     leftsubnet=allOtherSpokeNetworks
>     rightsubnet=SpokeNetwork
>
> On the spokes, the declaration would be the reverse of that.
>
> You can only use a host that is reachable on layer two as router for
> another host.
> So you cannot do that. You can, however, set the dscp value in the IP
> packets you want to be routed by the hub, for example, and use policy
> based routing on the hub to handle them in a special way.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 28.03.2015 um 16:12 schrieb unite:
> > Hi guys!
> >
> > Is there a way to configure strongswan in a site-to-site hub-and-spoke
> topology, so for me to have for example strongswan hub in central office
> and having multiple spokes whose traffic between each other should be
> routed through the central office? I haven't found a guide on the net, so
> it would be very helpful for me if you can point me to the one, or just
> explain how can I configure my tunnels in such a way.
> >
> > Also, I guess pretty similar question, can I configure clients in
> spoke's network to use central office as a default gateway, so their
> traffic should be routed encrypted to the central office, then decrypted
> and sent to the receiver?
> >
> > Thnaks in advance.
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVFxlwAAoJEDg5KY9j7GZYkjkQAIUuKF3re3g/hNjDaTvJ4kWs
> a72D4nJzFRKx+mkCIbSmZIgLD7SPYisX3Qrez5GQLuUp6kyR/+GyE71aUZmIG6zz
> vtlu2h3Ns6C7Ru6l+G/NOlJDVpJr4hp1p5QMr1aJpzkB0Ecb5T+uNaJiZNZ0BhXn
> bnKiYt+8dDVmcIeF6h313LIKrwFVFGlO7RasKNDKlzDBs66MB4fhCk3ZkgPQk8IE
> u0XWrBNfXBiiXk5DvND5gLzjWlPOZHDWYbffrV2STPxrjvcyGIaGd611D4u68jaq
> tS/L6nFo5qWL5nyEHb4iA2nCdJFLYLqQk94TEIJVhSNfjJU9lexpmRvjl9v2dd8+
> J0E78ZLcm0kVkfcpKR0T7O099WRGCOGYMwUK8Sq9cFUConhFzMWAOgJrP/lo9sx8
> LOstUcStDHIycJHbsqhHyNuZrCr/aDLJe3Ua7pkvYnObFopPUMPdmq8ScPDOGKO8
> HQNf1pBX3zisU0UzPHMSqp7YUiqm39qwHOfU9O9C5pB6HPDnearzhZQxLy/wHA4S
> KC2etzL2dYtmUiGlqgVFNXFgWFxiTcGGTM/zLfJcuc1fovyqPQvZJsx6VCGMu6zx
> 32hWDkLnG8mgKaqpMPWQ9wZPAmkeKL1yLEAlx2mPfFOIDiym0pivHrYpQ0Wt+bFU
> 0DlJqnFIfStXutevJOGr
> =Eh3R
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150402/652396d0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: strongswan-ipsec-hub-spoke-configs.rar
Type: application/rar
Size: 37110 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150402/652396d0/attachment-0001.rar>


More information about the Users mailing list