[strongSwan] One to Many VPN (Host-Host)
infosec at quantum-equities.com
Sat Mar 17 01:16:18 CET 2018
On 03/07/2018 06:47 AM, Info wrote:
> Any input would be appreciated.
> On 03/05/2018 05:25 PM, Info wrote:
>> On 03/05/2018 12:13 PM, Info wrote:
>>> I'm looking to VPN every machine in a LAN. I infer that this would
>>> be something like a host-to-host config.
>>> I'll use swanctl/vici and x509 certs.
>>> I can't identify any configurations that seem right for this at
>>> Also, there is a machine outside on the Internet which I'd like to
>>> join the party transparently. It's a mail server, so somehow I'd
>>> like its mail traffic to not be VPNed, but everything else to be. I
>>> guess this might be a roadwarrior with some kind of split for the
>>> mail ports.
>> So my best idea, since IPSec is point-to-point, is to set up a 'hub
>> and spoke' config. IOW designate one machine as the hub and its
>> remote_addrs are IPs of the multiple other members of the LAN which
>> will be in the VPN. Or maybe just the CIDR/24 of the LAN. And all
>> the other members would point to the hub with their remote_addrs.
>> The hub would be a juicy target for attack though, and forwarding
>> must be on.
>> Of course the traffic selectors would be the CIDR/24 of the LAN,
>> although I haven't figured out how to include a remote machine in the
>> ts since its IP could change. Maybe I could use its resolvable
>> domain name, and DNAT it in through the firewall to the hub. But
>> this doesn't solve the problem of phones and tablets which change
>> outside IPs and don't have resolvable domain names.
>> And what would 'remote' id= be in the hub? %any?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users