[strongSwan] Setup site-to-site VPN via central server

[Tobias Brunner]

Hi Martin,

>> I've added some documentation [1]. 
> I read through the hub-and-spoke setup on the internet. Is my setup
> actually a hub-and-spoke type? I connect from the gateways directly to
> the internet and only the traffic to 192.68.0.0/16 is routed through
> VPN.

What traffic you tunnel does not matter (i.e. if you use split-tunneling
or tunnel all traffic to the hub) the topology is the same.

> Also the text in [1] mentions A-C whereas the diagram shows A-D. Is
> this on purpose?

The diagrams show four hosts as I though that illustrates the difference
between the two approaches a bit better (a full mesh with three hosts
doesn't really illustrate the exponential increase in the number of
required connections).

>>> Out of curiosity, how would you configure the server and client if I
>>> would like to add vpn-third subnet with 192.168.3.0?
>> You'd just add that subnet to the list of remote traffic selectors on
>> the clients and as local traffic selector on the server and the client
> So this would (or could) result in the following traffic selectors?
> 
> ## IPs:
> Server IP = 192.168.0.1
> First GW = 192.168.1.0/24
> Second GW = 192.168.2.0/24
> Third GW = 192.168.3.0/24
> 
> ## Server.conf
> conn vpn-first
>         rightsubnet = 192.168.1.0/24
>         leftsubnet = 192.168.0.0/16
>
> ## First-Gateway.conf
> conn vpn-first
>         rightsubnet = 192.168.0.0/16
>         leftsubnet = 192.168.1.0/24

You could do that but then you'd have to add a passthrough policy for
192.168.1.0/24 on the first gateway (otherwise it would tunnel that
traffic too).  Or just set leftsubnet=192.168.2.0/24,192.168.3.0/24 on
the server in this config so the traffic selector gets narrowed and the
first gateway only tunnels traffic for these two subnets.

Regards,
Tobias