[strongSwan] Set up strongswan in hub-and-spoke topology
Aleksey
unite at openmailbox.org
Thu Apr 2 12:14:35 CEST 2015
On 2015-04-01 22:55, Rajiv Kulkarni wrote:
> Hi
>
> Maybe the attached ipsec.conf files for Hub and spokes (2 spokes)
> would be useful. It worked for me nicely in my setup which is also
> attached
>
> PS: The attachment is a rar file (zipped using winrar)
>
> thanks & regards
> rajiv
>
> On Sun, Mar 29, 2015 at 2:43 AM, Noel Kuntze <noel at familie-kuntze.de>
> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hello Aleksey
>>
>> You need to define every net-to-net tunnel manually in ipsec.conf
>> or swanctl.conf.
>> The tunneled subnets for every spoke configuration on the hub would
>> be
>> leftsubnet=allOtherSpokeNetworks
>> rightsubnet=SpokeNetwork
>>
>> On the spokes, the declaration would be the reverse of that.
>>
>> You can only use a host that is reachable on layer two as router
>> for another host.
>> So you cannot do that. You can, however, set the dscp value in the
>> IP packets you want to be routed by the hub, for example, and use
>> policy
>> based routing on the hub to handle them in a special way.
>>
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 28.03.2015 um 16:12 schrieb unite:
>>> Hi guys!
>>>
>>> Is there a way to configure strongswan in a site-to-site
>> hub-and-spoke topology, so for me to have for example strongswan hub
>> in central office and having multiple spokes whose traffic between
>> each other should be routed through the central office? I haven't
>> found a guide on the net, so it would be very helpful for me if you
>> can point me to the one, or just explain how can I configure my
>> tunnels in such a way.
>>>
>>> Also, I guess pretty similar question, can I configure clients in
>> spoke's network to use central office as a default gateway, so their
>> traffic should be routed encrypted to the central office, then
>> decrypted and sent to the receiver?
>>>
>>> Thnaks in advance.
>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQIcBAEBCAAGBQJVFxlwAAoJEDg5KY9j7GZYkjkQAIUuKF3re3g/hNjDaTvJ4kWs
>> a72D4nJzFRKx+mkCIbSmZIgLD7SPYisX3Qrez5GQLuUp6kyR/+GyE71aUZmIG6zz
>> vtlu2h3Ns6C7Ru6l+G/NOlJDVpJr4hp1p5QMr1aJpzkB0Ecb5T+uNaJiZNZ0BhXn
>> bnKiYt+8dDVmcIeF6h313LIKrwFVFGlO7RasKNDKlzDBs66MB4fhCk3ZkgPQk8IE
>> u0XWrBNfXBiiXk5DvND5gLzjWlPOZHDWYbffrV2STPxrjvcyGIaGd611D4u68jaq
>> tS/L6nFo5qWL5nyEHb4iA2nCdJFLYLqQk94TEIJVhSNfjJU9lexpmRvjl9v2dd8+
>> J0E78ZLcm0kVkfcpKR0T7O099WRGCOGYMwUK8Sq9cFUConhFzMWAOgJrP/lo9sx8
>> LOstUcStDHIycJHbsqhHyNuZrCr/aDLJe3Ua7pkvYnObFopPUMPdmq8ScPDOGKO8
>> HQNf1pBX3zisU0UzPHMSqp7YUiqm39qwHOfU9O9C5pB6HPDnearzhZQxLy/wHA4S
>> KC2etzL2dYtmUiGlqgVFNXFgWFxiTcGGTM/zLfJcuc1fovyqPQvZJsx6VCGMu6zx
>> 32hWDkLnG8mgKaqpMPWQ9wZPAmkeKL1yLEAlx2mPfFOIDiym0pivHrYpQ0Wt+bFU
>> 0DlJqnFIfStXutevJOGr
>> =Eh3R
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users [1]
>
>
>
> Links:
> ------
> [1] https://lists.strongswan.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
Thanks everyone, guys. I'll try configuring it in the next few dayыю
--
With kind regards,
Aleksey
More information about the Users
mailing list