[strongSwan] Setup site-to-site VPN via central server

Tobias Brunner tobias at strongswan.org
Fri Jul 15 18:49:00 CEST 2016

Hi Martin,

> Should I document this setup somewhere on the Wiki?

I've added some documentation [1].  As mentioned there, the
hub-and-spoke setup is also demonstrated in an example scenario [2].
Even though its configuration is based on swanctl.conf the concept is
the same when setting it up via ipsec.conf.

> Out of curiosity, how would you configure the server and client if I
> would like to add vpn-third subnet with

You'd just add that subnet to the list of remote traffic selectors on
the clients and as local traffic selector on the server and the client
that's actually connected to that subnet (basically just an extension of
the config you have now).
You could even simplify the configuration so that clients don't have to
know all the subnets by configuring `rightsubnet=`.  Then the
server is free to narrow that down to the list of subnets it has
configured in `leftsubnet` (this won't work well if you want to use
`auto=route` on the clients, though).


[2] https://www.strongswan.org/testing/testresults/swanctl/net2net-gw/

More information about the Users mailing list