[strongSwan] Set up strongswan in hub-and-spoke topology

Noel Kuntze noel at familie-kuntze.de
Mon Mar 30 15:34:13 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Aleksey,

The problem of what you want to do is, that you can only
use hosts as gateway, that you can reach directly on layer two.
So you cannot do that over an IPsec tunnel.
The way to make that happen is to mark the traffic, that you want to route,
in a special way. Inside the netfilter stack, you can use marks for that.
In between the physical hosts (on the ethernet wire), you could use
another mac address to differentiate the packets.
A way to implement that is by using a macvtap interface on top
of your ethernet interface.

The goal of all this is to enable all hosts to differentiate traffic
that is to be handled in a special way.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 30.03.2015 um 09:58 schrieb unite:
> On 2015-03-28 23:13, Noel Kuntze wrote:
> Hello Aleksey
> 
> You need to define every net-to-net tunnel manually in ipsec.conf or
> swanctl.conf.
> The tunneled subnets for every spoke configuration on the hub would be
>     leftsubnet=allOtherSpokeNetworks
>     rightsubnet=SpokeNetwork
> 
> On the spokes, the declaration would be the reverse of that.
> 
> You can only use a host that is reachable on layer two as router for
> another host.
> So you cannot do that. You can, however, set the dscp value in the IP
> packets you want to be routed by the hub, for example, and use policy
> based routing on the hub to handle them in a special way.
> 
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> Am 28.03.2015 um 16:12 schrieb unite:
>>>> Hi guys!
>>>>
>>>> Is there a way to configure strongswan in a site-to-site hub-and-spoke topology, so for me to have for example strongswan hub in central office and having multiple spokes whose traffic between each other should be routed through the central office? I haven't found a guide on the net, so it would be very helpful for me if you can point me to the one, or just explain how can I configure my tunnels in such a way.
>>>>
>>>> Also, I guess pretty similar question, can I configure clients in spoke's network to use central office as a default gateway, so their traffic should be routed encrypted to the central office, then decrypted and sent to the receiver?
>>>>
>>>> Thnaks in advance.
>>>>
> 
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> 
> Hi Noel!
> 
> Thanks for your answer however I got a bit confused with it. So you meant that I can configure hub-and-spoke topology for routing between spoke's subnets but the second scenario in which all client traffic is first routed through the hub cannot be achieved using strongswan only - I need some complex PBR configurations on both hub and spoke I guess?
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVGVDSAAoJEDg5KY9j7GZYBt0P/3Wb7P25s1Y7LIFpNMVZDS74
tTpnsP5sKw6msqYsqVJ1WYqMC+1NOGdd4lZhsTKMZBljKrZ5KgtvL5nR5hO5i+GK
suc/6nG5FkpQcbqQcCSvADBmmdTyQM2mDjDebctsDmALm9zmVhderpfO4HJGFhcH
NabdOBpshUPodzNNFM01mQ6qyfrvtTNqYn1g60fV2bdUb0WZiFfwmncDtI7JzEzv
sUck8hS3jUN9mTGOHrvr6o2DIdisTHu8jaGBJnyErMXauYPAB69sKAugzFR+aO8w
4CH9UoK7M8qymObauXDtc5qr2JPMR5mSX/+XMY/COIqjo8BzKjMXd9j3UiPJDgeQ
zZ17T48M3GunzoWjzZ/KLje5yiORlz3B27IJbaQ6rI0yiZPTylhxIBAulLtIK7BO
YLvWSJWdiQBPi0xtHSPKQ3pKB08MRSTlDildhoUMuvZ9dlaI085urHkHxNL4AtMi
OOQ9o4hYX4dDE0y8oREmOfKyqtqLqxnewMb3RhyaeTTQ3VLdlzNmoS+Z7InXkOoG
5J3pP9+ExVVNduBUAaj1sRGLqvYPWFnP+oSsSljl12z0QR9j7Ytflt0nq5C/y5z3
rASyJhHfTv97YhO+c5grQcXQtzzmeIxgzCwLlFNRG8TyFPHvIFrQJ3CO/wY3AmWa
cL2AFBWv+JvmRIkfLIDP
=FKDK
-----END PGP SIGNATURE-----


More information about the Users mailing list