[strongSwan] Set up strongswan in hub-and-spoke topology

unite unite at openmailbox.org
Mon Mar 30 09:58:52 CEST 2015 

On 2015-03-28 23:13, Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hello Aleksey
> 
> You need to define every net-to-net tunnel manually in ipsec.conf or
> swanctl.conf.
> The tunneled subnets for every spoke configuration on the hub would be
>     leftsubnet=allOtherSpokeNetworks
>     rightsubnet=SpokeNetwork
> 
> On the spokes, the declaration would be the reverse of that.
> 
> You can only use a host that is reachable on layer two as router for
> another host.
> So you cannot do that. You can, however, set the dscp value in the IP
> packets you want to be routed by the hub, for example, and use policy
> based routing on the hub to handle them in a special way.
> 
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> Am 28.03.2015 um 16:12 schrieb unite:
>> Hi guys!
>> 
>> Is there a way to configure strongswan in a site-to-site hub-and-spoke 
>> topology, so for me to have for example strongswan hub in central 
>> office and having multiple spokes whose traffic between each other 
>> should be routed through the central office? I haven't found a guide 
>> on the net, so it would be very helpful for me if you can point me to 
>> the one, or just explain how can I configure my tunnels in such a way.
>> 
>> Also, I guess pretty similar question, can I configure clients in 
>> spoke's network to use central office as a default gateway, so their 
>> traffic should be routed encrypted to the central office, then 
>> decrypted and sent to the receiver?
>> 
>> Thnaks in advance.
>> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJVFxlwAAoJEDg5KY9j7GZYkjkQAIUuKF3re3g/hNjDaTvJ4kWs
> a72D4nJzFRKx+mkCIbSmZIgLD7SPYisX3Qrez5GQLuUp6kyR/+GyE71aUZmIG6zz
> vtlu2h3Ns6C7Ru6l+G/NOlJDVpJr4hp1p5QMr1aJpzkB0Ecb5T+uNaJiZNZ0BhXn
> bnKiYt+8dDVmcIeF6h313LIKrwFVFGlO7RasKNDKlzDBs66MB4fhCk3ZkgPQk8IE
> u0XWrBNfXBiiXk5DvND5gLzjWlPOZHDWYbffrV2STPxrjvcyGIaGd611D4u68jaq
> tS/L6nFo5qWL5nyEHb4iA2nCdJFLYLqQk94TEIJVhSNfjJU9lexpmRvjl9v2dd8+
> J0E78ZLcm0kVkfcpKR0T7O099WRGCOGYMwUK8Sq9cFUConhFzMWAOgJrP/lo9sx8
> LOstUcStDHIycJHbsqhHyNuZrCr/aDLJe3Ua7pkvYnObFopPUMPdmq8ScPDOGKO8
> HQNf1pBX3zisU0UzPHMSqp7YUiqm39qwHOfU9O9C5pB6HPDnearzhZQxLy/wHA4S
> KC2etzL2dYtmUiGlqgVFNXFgWFxiTcGGTM/zLfJcuc1fovyqPQvZJsx6VCGMu6zx
> 32hWDkLnG8mgKaqpMPWQ9wZPAmkeKL1yLEAlx2mPfFOIDiym0pivHrYpQ0Wt+bFU
> 0DlJqnFIfStXutevJOGr
> =Eh3R
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Hi Noel!

Thanks for your answer however I got a bit confused with it. So you 
meant that I can configure hub-and-spoke topology for routing between 
spoke's subnets but the second scenario in which all client traffic is 
first routed through the hub cannot be achieved using strongswan only - 
I need some complex PBR configurations on both hub and spoke I guess?

-- 
With kind regards,
Aleksey

More information about the Users mailing list