[strongSwan] One to Many VPN (Host-Host)

[Info]

Any input would be appreciated.


On 03/05/2018 05:25 PM, Info wrote:
>
> On 03/05/2018 12:13 PM, Info wrote:
>>
>> I'm looking to VPN every machine in a LAN.  I infer that this would
>> be something like a host-to-host config.
>>
>> I'll use swanctl/vici and x509 certs.
>>
>> I can't identify any configurations that seem right for this at
>>
>> https://www.strongswan.org/testing/testresults/swanctl/
>>
>> Maybe? 
>> https://www.strongswan.org/testing/testresults/swanctl/ip-pool/index.html
>>
>>
>> Also, there is a machine outside on the Internet which I'd like to
>> join the party transparently.  It's a mail server, so somehow I'd
>> like its mail traffic to not be VPNed, but everything else to be.  I
>> guess this might be a roadwarrior with some kind of split for the
>> mail ports.
>>
>
> So my best idea, since IPSec is point-to-point, is to set up a 'hub
> and spoke' config.  IOW designate one machine as the hub and its
> remote_addrs are IPs of the multiple other members of the LAN which
> will be in the VPN.  Or maybe just the CIDR/24 of the LAN.  And all
> the other members would point to the hub with their remote_addrs.  The
> hub would be a juicy target for attack though, and forwarding must be on.
>
> Of course the traffic selectors would be the CIDR/24 of the LAN,
> although I haven't figured out how to include a remote machine in the
> ts since its IP could change.  Maybe I could use its resolvable domain
> name, and DNAT it in through the firewall to the hub.  But this
> doesn't solve the problem of phones and tablets which change outside
> IPs and don't have resolvable domain names.
>
> And what would 'remote' id= be in the hub?  %any?
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180307/48abfba4/attachment.html>