[strongSwan] One to Many VPN (Host-Host)

Info infosec at quantum-equities.com
Tue Mar 6 02:25:43 CET 2018

On 03/05/2018 12:13 PM, Info wrote:
> I'm looking to VPN every machine in a LAN.  I infer that this would be
> something like a host-to-host config.
> I'll use swanctl/vici and x509 certs.
> I can't identify any configurations that seem right for this at
> https://www.strongswan.org/testing/testresults/swanctl/
> Maybe? 
> https://www.strongswan.org/testing/testresults/swanctl/ip-pool/index.html
> Also, there is a machine outside on the Internet which I'd like to
> join the party transparently.  It's a mail server, so somehow I'd like
> its mail traffic to not be VPNed, but everything else to be.  I guess
> this might be a roadwarrior with some kind of split for the mail ports.

So my best idea, since IPSec is point-to-point, is to set up a 'hub and
spoke' config.  IOW designate one machine as the hub and its
remote_addrs are IPs of the multiple other members of the LAN which will
be in the VPN.  Or maybe just the CIDR/24 of the LAN.  And all the other
members would point to the hub with their remote_addrs.  The hub would
be a juicy target for attack though, and forwarding must be on.

Of course the traffic selectors would be the CIDR/24 of the LAN,
although I haven't figured out how to include a remote machine in the ts
since its IP could change.  Maybe I could use its resolvable domain
name, and DNAT it in through the firewall to the hub.  But this doesn't
solve the problem of phones and tablets which change outside IPs and
don't have resolvable domain names.

And what would 'remote' id= be in the hub?  %any?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180305/34eb6b4c/attachment.html>

More information about the Users mailing list