[strongSwan] Setup site-to-site VPN via central server

Tobias Brunner tobias at strongswan.org
Tue Jul 19 12:26:40 CEST 2016

Hi Martin,

>> I've added some documentation [1]. 
> I read through the hub-and-spoke setup on the internet. Is my setup
> actually a hub-and-spoke type? I connect from the gateways directly to
> the internet and only the traffic to is routed through
> VPN.

What traffic you tunnel does not matter (i.e. if you use split-tunneling
or tunnel all traffic to the hub) the topology is the same.

> Also the text in [1] mentions A-C whereas the diagram shows A-D. Is
> this on purpose?

The diagrams show four hosts as I though that illustrates the difference
between the two approaches a bit better (a full mesh with three hosts
doesn't really illustrate the exponential increase in the number of
required connections).

>>> Out of curiosity, how would you configure the server and client if I
>>> would like to add vpn-third subnet with
>> You'd just add that subnet to the list of remote traffic selectors on
>> the clients and as local traffic selector on the server and the client
> So this would (or could) result in the following traffic selectors?
> ## IPs:
> Server IP =
> First GW =
> Second GW =
> Third GW =
> ## Server.conf
> conn vpn-first
>         rightsubnet =
>         leftsubnet =
> ## First-Gateway.conf
> conn vpn-first
>         rightsubnet =
>         leftsubnet =

You could do that but then you'd have to add a passthrough policy for on the first gateway (otherwise it would tunnel that
traffic too).  Or just set leftsubnet=, on
the server in this config so the traffic selector gets narrowed and the
first gateway only tunnels traffic for these two subnets.


More information about the Users mailing list