[strongSwan] Dynamic/Smart routing in multiple site-to-site network

Yanzhe Lee lee.yanzhe at yanzhe.org
Tue Aug 20 06:43:53 CEST 2019


I want to create a network with multiple "satellite" networks, each
satellite is connected to a "hub" server via site-to-site VPN,
The server GH is acting as a hub of other subnets.
GA, GB, GC, GH are distinct server on public network.
What I want to achieve is that hosts on 'satellite' networks(Net
A/B/C) can communicate to each other via GH.
For example, hosts on net A can communicate to hosts on net B and C via GH.

 +-------+     +------------+        +------------+     +-------+
 | Net A | --- | Gateway GA |        | Gateway GB | --- | Net B |
 +-------+     +------------+        +------------+     +-------+
                       \                /
                        \              /
     | Gateway GH |
                        /              \
                       /                \
               +-------+             +------------+     +-------+
               | Net H |             | Gateway GC | --- | Net C |
               +-------+             +------------+     +-------+

According to my tests, the following swanctl.conf
configurations(simplified) work well for this scenario.

GH config:
remote_addrs = %any
local_ts =,,,
remote_ts =

GA config:
remote_addrs = gh.example.com
local_ts =

GB config:
remote_addrs = gh.example.com
local_ts =

GC config:
remote_addrs = gh.example.com
local_ts =

But this solution needs to hard coding all satellite subnets in GH's
configuration, so that each satellite gateway can be aware of all
other subnets.
This is sub-optimal because it lacks flexibility.

The better behavior is:
If a new satellite network connects to GH, for example Net D
( with gateway GD, all other satellites can be notified
and automatically set up the correct routing policy via traffic
selector or other mechanism without modifying other server's

So, how can I achieve this? Is this possible?

I'm also interested in Route-Based VPN by xfrm interfaces(Since
StrongSwan 5.8.0). Can this feature be used to solve my question?

I found the scenario of this
is similar to mine, and it uses VTI devices.
But I don't understand it well, is it related to my question?

Best regards!

Yanzhe Lee
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5102 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190820/bcf2da89/attachment.bin>

More information about the Users mailing list