[strongSwan] Setup site-to-site VPN via central server
tobias at strongswan.org
Tue Jul 19 12:26:40 CEST 2016
>> I've added some documentation .
> I read through the hub-and-spoke setup on the internet. Is my setup
> actually a hub-and-spoke type? I connect from the gateways directly to
> the internet and only the traffic to 188.8.131.52/16 is routed through
What traffic you tunnel does not matter (i.e. if you use split-tunneling
or tunnel all traffic to the hub) the topology is the same.
> Also the text in  mentions A-C whereas the diagram shows A-D. Is
> this on purpose?
The diagrams show four hosts as I though that illustrates the difference
between the two approaches a bit better (a full mesh with three hosts
doesn't really illustrate the exponential increase in the number of
>>> Out of curiosity, how would you configure the server and client if I
>>> would like to add vpn-third subnet with 192.168.3.0?
>> You'd just add that subnet to the list of remote traffic selectors on
>> the clients and as local traffic selector on the server and the client
> So this would (or could) result in the following traffic selectors?
> ## IPs:
> Server IP = 192.168.0.1
> First GW = 192.168.1.0/24
> Second GW = 192.168.2.0/24
> Third GW = 192.168.3.0/24
> ## Server.conf
> conn vpn-first
> rightsubnet = 192.168.1.0/24
> leftsubnet = 192.168.0.0/16
> ## First-Gateway.conf
> conn vpn-first
> rightsubnet = 192.168.0.0/16
> leftsubnet = 192.168.1.0/24
You could do that but then you'd have to add a passthrough policy for
192.168.1.0/24 on the first gateway (otherwise it would tunnel that
traffic too). Or just set leftsubnet=192.168.2.0/24,192.168.3.0/24 on
the server in this config so the traffic selector gets narrowed and the
first gateway only tunnels traffic for these two subnets.
More information about the Users