[strongSwan] One to Many VPN (Host-Host)

[Info]

Nothing.  Hm.


On 03/07/2018 06:47 AM, Info wrote:
>
> Any input would be appreciated.
>
>
> On 03/05/2018 05:25 PM, Info wrote:
>>
>> On 03/05/2018 12:13 PM, Info wrote:
>>>
>>> I'm looking to VPN every machine in a LAN.  I infer that this would
>>> be something like a host-to-host config.
>>>
>>> I'll use swanctl/vici and x509 certs.
>>>
>>> I can't identify any configurations that seem right for this at
>>>
>>> https://www.strongswan.org/testing/testresults/swanctl/
>>>
>>> Maybe? 
>>> https://www.strongswan.org/testing/testresults/swanctl/ip-pool/index.html
>>>
>>>
>>> Also, there is a machine outside on the Internet which I'd like to
>>> join the party transparently.  It's a mail server, so somehow I'd
>>> like its mail traffic to not be VPNed, but everything else to be.  I
>>> guess this might be a roadwarrior with some kind of split for the
>>> mail ports.
>>>
>>
>> So my best idea, since IPSec is point-to-point, is to set up a 'hub
>> and spoke' config.  IOW designate one machine as the hub and its
>> remote_addrs are IPs of the multiple other members of the LAN which
>> will be in the VPN.  Or maybe just the CIDR/24 of the LAN.  And all
>> the other members would point to the hub with their remote_addrs. 
>> The hub would be a juicy target for attack though, and forwarding
>> must be on.
>>
>> Of course the traffic selectors would be the CIDR/24 of the LAN,
>> although I haven't figured out how to include a remote machine in the
>> ts since its IP could change.  Maybe I could use its resolvable
>> domain name, and DNAT it in through the firewall to the hub.  But
>> this doesn't solve the problem of phones and tablets which change
>> outside IPs and don't have resolvable domain names.
>>
>> And what would 'remote' id= be in the hub?  %any?
>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180316/46bef8f3/attachment.html>