[strongSwan] Dynamic/Smart routing in multiple site-to-site network

Yanzhe Lee lee.yanzhe at yanzhe.org
Tue Aug 20 06:43:53 CEST 2019 

Hello,

I want to create a network with multiple "satellite" networks, each
satellite is connected to a "hub" server via site-to-site VPN,
The server GH is acting as a hub of other subnets.
GA, GB, GC, GH are distinct server on public network.
What I want to achieve is that hosts on 'satellite' networks(Net
A/B/C) can communicate to each other via GH.
For example, hosts on net A can communicate to hosts on net B and C via GH.

Topology:

 10.0.1.0/24     10.0.1.1              10.0.2.1         10.0.2.0/24
 +-------+     +------------+        +------------+     +-------+
 | Net A | --- | Gateway GA |        | Gateway GB | --- | Net B |
 +-------+     +------------+        +------------+     +-------+
                       \                /
                        \              /
                         +------------+
              10.255.0.1 | Gateway GH |
                         +------------+
                        /              \
                       /                \
               +-------+             +------------+     +-------+
               | Net H |             | Gateway GC | --- | Net C |
               +-------+             +------------+     +-------+
             10.255.0.0/24              10.0.3.1       10.0.3.0/24


According to my tests, the following swanctl.conf
configurations(simplified) work well for this scenario.

GH config:
remote_addrs = %any
local_ts = 10.255.0.0/24,10.0.1.0/24,10.0.2.0/24,10.0.3.0/24
remote_ts = 0.0.0.0/0

GA config:
remote_addrs = gh.example.com
local_ts = 10.0.1.0/24

GB config:
remote_addrs = gh.example.com
local_ts = 10.0.2.0/24

GC config:
remote_addrs = gh.example.com
local_ts = 10.0.3.0/24

But this solution needs to hard coding all satellite subnets in GH's
configuration, so that each satellite gateway can be aware of all
other subnets.
This is sub-optimal because it lacks flexibility.

The better behavior is:
If a new satellite network connects to GH, for example Net D
(10.0.4.0/24) with gateway GD, all other satellites can be notified
and automatically set up the correct routing policy via traffic
selector or other mechanism without modifying other server's
configuration.

So, how can I achieve this? Is this possible?

I'm also interested in Route-Based VPN by xfrm interfaces(Since
StrongSwan 5.8.0). Can this feature be used to solve my question?

I found the scenario of this
tutorial(https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html)
is similar to mine, and it uses VTI devices.
But I don't understand it well, is it related to my question?

-- 
Best regards!

Yanzhe Lee
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5102 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190820/bcf2da89/attachment.bin>

More information about the Users mailing list