[strongSwan] Dynamic/Smart routing in multiple site-to-site network

Noel Kuntze noel.kuntze at thermi.consulting
Tue Aug 20 08:54:33 CEST 2019 

Hello,

Yes. Just use route based IPsec and dynamic routing.

Kind regards

Noel

Am 20.08.19 um 06:43 schrieb Yanzhe Lee:
> Hello,
>
> I want to create a network with multiple "satellite" networks, each
> satellite is connected to a "hub" server via site-to-site VPN,
> The server GH is acting as a hub of other subnets.
> GA, GB, GC, GH are distinct server on public network.
> What I want to achieve is that hosts on 'satellite' networks(Net
> A/B/C) can communicate to each other via GH.
> For example, hosts on net A can communicate to hosts on net B and C via GH.
>
> Topology:
>
>  10.0.1.0/24     10.0.1.1              10.0.2.1         10.0.2.0/24
>  +-------+     +------------+        +------------+     +-------+
>  | Net A | --- | Gateway GA |        | Gateway GB | --- | Net B |
>  +-------+     +------------+        +------------+     +-------+
>                        \                /
>                         \              /
>                          +------------+
>               10.255.0.1 | Gateway GH |
>                          +------------+
>                         /              \
>                        /                \
>                +-------+             +------------+     +-------+
>                | Net H |             | Gateway GC | --- | Net C |
>                +-------+             +------------+     +-------+
>              10.255.0.0/24              10.0.3.1       10.0.3.0/24
>
>
> According to my tests, the following swanctl.conf
> configurations(simplified) work well for this scenario.
>
> GH config:
> remote_addrs = %any
> local_ts = 10.255.0.0/24,10.0.1.0/24,10.0.2.0/24,10.0.3.0/24
> remote_ts = 0.0.0.0/0
>
> GA config:
> remote_addrs = gh.example.com
> local_ts = 10.0.1.0/24
>
> GB config:
> remote_addrs = gh.example.com
> local_ts = 10.0.2.0/24
>
> GC config:
> remote_addrs = gh.example.com
> local_ts = 10.0.3.0/24
>
> But this solution needs to hard coding all satellite subnets in GH's
> configuration, so that each satellite gateway can be aware of all
> other subnets.
> This is sub-optimal because it lacks flexibility.
>
> The better behavior is:
> If a new satellite network connects to GH, for example Net D
> (10.0.4.0/24) with gateway GD, all other satellites can be notified
> and automatically set up the correct routing policy via traffic
> selector or other mechanism without modifying other server's
> configuration.
>
> So, how can I achieve this? Is this possible?
>
> I'm also interested in Route-Based VPN by xfrm interfaces(Since
> StrongSwan 5.8.0). Can this feature be used to solve my question?
>
> I found the scenario of this
> tutorial(https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html)
> is similar to mine, and it uses VTI devices.
> But I don't understand it well, is it related to my question?
>

-- 
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190820/a96cad90/attachment-0001.sig>

More information about the Users mailing list