[strongSwan] Many-to-many scenario using transport mode

Andreas Heinlein aheinlein at gmx.com
Tue Sep 6 08:33:12 CEST 2016


I am trying to setup IPsec in a many-to-many scenario on a single 
subnet, i.e. a larger number of hosts on the same subnet should be able 
to communicate over IPsec in transport mode. Any host should be able to 
communicate with any other host, and connections should be initiated 
from either side. Hosts should be authenticated using a X.509 cert 
signed by a single private CA. Sonme of the hosts may be down at times.

I have seen several reports on the net which suggest it is possible, but 
I found no working example. Basically, I would think that I have to set 
both left and right to "%any" in ipsec.conf, but how do I identify who's 
left and who's right in this case? Where do I put the hosts own 
certificate? If I specify the cert as leftcert on all hosts, all hosts 
think they are left, which will not work, right?

Is "opportunistic encryption" the right path here?

Sorry if I am overlooking something very simple here.


More information about the Users mailing list