[strongSwan] Site to Site VPN - One to Many

Noel Kuntze noel at familie-kuntze.de
Tue May 26 20:01:09 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

IPsec doesn't care about your routes, only if they
are still there, after the routing has taken place.
It hijacks the packets after the routing decision has been made.
Obviously, the packet has to be destined to actually leave through
some interface. So a simple default route is sufficient.

Look here: http://inai.de/images/nf-packet-flow.png

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 26.05.2015 um 13:48 schrieb Zhuyj:
> No, if route table is not configured, policy will not have chance to handle packets.
>
> 发自我的 iPhone
>
>> 在 2015年5月26日,19:37,Noel Kuntze <noel at familie-kuntze.de> 写道:
>>
>>
> It won't, because IPsec on Linux is all policy based.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> >>> Am 26.05.2015 um 13:35 schrieb Zhuyj:
> >>> Yeah,maybe virtual ip will help.
> >>>
> >>>
> >>> 发自我的 iPhone
> >>>
> >>>> 在 2015年5月26日,19:16,Noel Kuntze <noel at familie-kuntze.de> 写道:
> >>> Hello,
> >>>
> >>> No, not so easily. You either have to map one of those networks onto another subnet with iptables or use marks to differentiate the traffic.
> >>>
> >>> Mit freundlichen Grüßen/Kind Regards,
> >>> Noel Kuntze
> >>>
> >>> GPG Key ID: 0x63EC6658
> >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >>>
> >>>>>> Am 26.05.2015 um 13:15 schrieb mgundes:
> >>>>>> Zhuyj and Noel, thank you.
> >>>>>>
> >>>>>> Zhuyj, regarding route table, what if some different private networks have same subnets? I mean if two organizations have 192.168.2.0/24 <http://192.168.2.0/24> network than would it be possible to properly set route table?
> >>>>>>
> >>>>>> Thanks.
> >>>>>>
> >>>>>> On Tue, May 26, 2015 at 2:05 PM, Zhuyj <mounter625 at 163.com <mailto:mounter625 at 163.com>> wrote:
> >>>>>>
> >>>>>>   Pay attention to route table.
> >>>>>>
> >>>>>>
> >>>>>>   发自我的 iPhone
> >>>>>>
> >>>>>>> 在 2015年5月26日,18:42,Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> 写道:
> >>>>>> Hello,
> >>>>>>
> >>>>>> Yes, that is possible. Simply create different conn sections.
> >>>>>>
> >>>>>> Mit freundlichen Grüßen/Kind Regards,
> >>>>>> Noel Kuntze
> >>>>>>
> >>>>>> GPG Key ID: 0x63EC6658
> >>>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >>>>>>
> >>>>>>>>> Am 26.05.2015 um 10:39 schrieb mahmut g:
> >>>>>>>>>
> >>>>>>>>> Hello,
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> I need to connect many servers in different private networks. My application should connect and gets data from many(4 or 5) services on that servers. However, I need to create VPN to those network to be able to connect those server. For instance one of the private networks has Cisco 3845 router as vpn hardware and another use some other solution etc.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Those private networks are different organizations. I am not good at IPSec and VPN issues, I wonder If it is possible to connect more than one private network from single Linux VPS machine with strongswan?
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Thanks,
> >>>>>>>>>
> >>>>>>>>> Regards.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Mahmut
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>> Users mailing list
> >>>>>>>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> >>>>>>>>> https://lists.strongswan.org/mailman/listinfo/users
> >>>>>>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Users mailing list
> >>>>>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> >>>>>>> https://lists.strongswan.org/mailman/listinfo/users
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Mahmut Gündeş
> >>>
>
>>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVZLTjAAoJEDg5KY9j7GZYnH4P/3xkGk0AA1h4w+PA8dkj7FaH
rD563Q3QA2wLL8awPDg/4j283T/3Uyf6muq5Lqr3CZVi+9JKnP6ll9Wr9HemYMBM
UF6Q99COmCd408fXj+44syNxSStUwbdvxVqEdkpPP0LAQmv7lhem0FAf5TwczVGP
NxfpNXbw7tjWo1i/2NpyYRJO8geGaxQ0pfuzk7f6voieeiZ1yhuJvdTRFF9j1fNe
rBqkZff86AAW8m1LvYBY6DFlR2bZZjNvr+eFbuZagO98pSeVfMGVP5B46h0LJbcp
nJqnE5E+QBU9b2lv0lsF5LunAon9QLk+3WM7843qHnXYAz6gQD5tHBM/hO+BUUCB
AFi3TlwkefZyuXAT3quqfjaJXMd1RZ7MwKttheWVOYVdBM0BYp1cLWGpsgQwPgjY
3OupZfP+VJjnziealMcVwc0N3sa7te3FT5+ubBZ/tJ3EAv7YW8m6Tja2KpYqaIRt
fYGmE9DBgj/ZkdlalLVk7amQGIzyW1jUE5bWH72r1FYnNEweLFhgU7iI1GJs9Uyc
51HQFUs1mlhPr4Xa6r7UvgHhzVfNcMeKuibJYRHeFXJORUC1Bqu/npACF3czuelN
8cHuhxzqgki9QVwR46SC+edaZIAbxb+1smaT/DBatYYPlDJoaiGOOvvG6DNr8KMs
qV8IsF+cRLGlpwK8cCtn
=Angt
-----END PGP SIGNATURE-----



More information about the Users mailing list