[strongSwan] One to Many VPN (Host-Host)
infosec at quantum-equities.com
Wed Mar 7 15:47:12 CET 2018
Any input would be appreciated.
On 03/05/2018 05:25 PM, Info wrote:
> On 03/05/2018 12:13 PM, Info wrote:
>> I'm looking to VPN every machine in a LAN. I infer that this would
>> be something like a host-to-host config.
>> I'll use swanctl/vici and x509 certs.
>> I can't identify any configurations that seem right for this at
>> Also, there is a machine outside on the Internet which I'd like to
>> join the party transparently. It's a mail server, so somehow I'd
>> like its mail traffic to not be VPNed, but everything else to be. I
>> guess this might be a roadwarrior with some kind of split for the
>> mail ports.
> So my best idea, since IPSec is point-to-point, is to set up a 'hub
> and spoke' config. IOW designate one machine as the hub and its
> remote_addrs are IPs of the multiple other members of the LAN which
> will be in the VPN. Or maybe just the CIDR/24 of the LAN. And all
> the other members would point to the hub with their remote_addrs. The
> hub would be a juicy target for attack though, and forwarding must be on.
> Of course the traffic selectors would be the CIDR/24 of the LAN,
> although I haven't figured out how to include a remote machine in the
> ts since its IP could change. Maybe I could use its resolvable domain
> name, and DNAT it in through the firewall to the hub. But this
> doesn't solve the problem of phones and tablets which change outside
> IPs and don't have resolvable domain names.
> And what would 'remote' id= be in the hub? %any?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users