[strongSwan] Set up strongswan in hub-and-spoke topology

Noel Kuntze noel at familie-kuntze.de
Sat Mar 28 22:13:22 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Aleksey

You need to define every net-to-net tunnel manually in ipsec.conf or swanctl.conf.
The tunneled subnets for every spoke configuration on the hub would be
    leftsubnet=allOtherSpokeNetworks
    rightsubnet=SpokeNetwork

On the spokes, the declaration would be the reverse of that.

You can only use a host that is reachable on layer two as router for another host.
So you cannot do that. You can, however, set the dscp value in the IP packets you want to be routed by the hub, for example, and use policy
based routing on the hub to handle them in a special way.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 28.03.2015 um 16:12 schrieb unite:
> Hi guys!
>
> Is there a way to configure strongswan in a site-to-site hub-and-spoke topology, so for me to have for example strongswan hub in central office and having multiple spokes whose traffic between each other should be routed through the central office? I haven't found a guide on the net, so it would be very helpful for me if you can point me to the one, or just explain how can I configure my tunnels in such a way.
>
> Also, I guess pretty similar question, can I configure clients in spoke's network to use central office as a default gateway, so their traffic should be routed encrypted to the central office, then decrypted and sent to the receiver?
>
> Thnaks in advance.
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVFxlwAAoJEDg5KY9j7GZYkjkQAIUuKF3re3g/hNjDaTvJ4kWs
a72D4nJzFRKx+mkCIbSmZIgLD7SPYisX3Qrez5GQLuUp6kyR/+GyE71aUZmIG6zz
vtlu2h3Ns6C7Ru6l+G/NOlJDVpJr4hp1p5QMr1aJpzkB0Ecb5T+uNaJiZNZ0BhXn
bnKiYt+8dDVmcIeF6h313LIKrwFVFGlO7RasKNDKlzDBs66MB4fhCk3ZkgPQk8IE
u0XWrBNfXBiiXk5DvND5gLzjWlPOZHDWYbffrV2STPxrjvcyGIaGd611D4u68jaq
tS/L6nFo5qWL5nyEHb4iA2nCdJFLYLqQk94TEIJVhSNfjJU9lexpmRvjl9v2dd8+
J0E78ZLcm0kVkfcpKR0T7O099WRGCOGYMwUK8Sq9cFUConhFzMWAOgJrP/lo9sx8
LOstUcStDHIycJHbsqhHyNuZrCr/aDLJe3Ua7pkvYnObFopPUMPdmq8ScPDOGKO8
HQNf1pBX3zisU0UzPHMSqp7YUiqm39qwHOfU9O9C5pB6HPDnearzhZQxLy/wHA4S
KC2etzL2dYtmUiGlqgVFNXFgWFxiTcGGTM/zLfJcuc1fovyqPQvZJsx6VCGMu6zx
32hWDkLnG8mgKaqpMPWQ9wZPAmkeKL1yLEAlx2mPfFOIDiym0pivHrYpQ0Wt+bFU
0DlJqnFIfStXutevJOGr
=Eh3R
-----END PGP SIGNATURE-----

More information about the Users mailing list