[strongSwan] Need advice on how to connect multiple sites and hosts to a VPN

Marwan Khalili marwan.khalili at edgeguide.com
Fri May 17 10:18:28 CEST 2019

Managed to solve this using the hub-spoke model. If anyone would happen to stumble upon this thread in need of further help, I found the following strongSwan article was useful:

As for using connmark, there are a few test examples (updown script available on github):


From: Users <users-bounces at lists.strongswan.org> on behalf of Marwan Khalili <marwan.khalili at edgeguide.com>
Sent: Friday, April 26, 2019 11:11
To: Noel Kuntze; Michael Schwartzkopff; users at lists.strongswan.org
Subject: Re: [strongSwan] Need advice on how to connect multiple sites and hosts to a VPN


Thank you for the advice! I am trying to puzzle out a few things:

For a fully meshed network, is it possible to connect two hosts without a public IP (e.g. home PCs)? Or are we restricted to a partial mesh in that case?

For the hub-spoke model, I'm thinking that we either have one of the gateways act as a hub for the network or we maintain separate servers that will solely be used as hubs.

However, if we maintain separate hub servers we will not be able to setup a distinct server for each intranet VPN as we have several customers and some of our customers wish to have multiple VPNs.

Is it possible to configure a hub to be used for several intranet VPNs in strongSwan without worrying about IP collisions? (Think two customers with separate VPNs, but using the same server as a hub). I have read about the connmark plugin but I am not sure if/how it is meant to be used for cases like this.



From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>
Sent: Thursday, April 25, 2019 16:53
To: Marwan Khalili; Michael Schwartzkopff; users at lists.strongswan.org
Subject: Re: [strongSwan] Need advice on how to connect multiple sites and hosts to a VPN


That's perfectly feasible with strongSwan. Details would need to be discussed in particular. E.g. regarding any needed ACLs.
It's possible to build a dynamic fully meshed network using an OpenNHRP compatible patched version of strongSwan. It requires some extra care though,
because it's evidently not maintained by upstream, but by Timo Teras of Alpine Linux.

The currently possible solution is either a manually configured mesh or a hub-spoke model, like Michael mentioned.
Meaning, there's a central site and all other sites connect to that central site to communicate with the others.
That evidently severely limits the available bandwidth and introduces a SPOF (Single Point Of Failure).

Kind regards


Am 25.04.19 um 16:26 schrieb Marwan Khalili:
> > How many sites / offices do you want to connect?
> It would be a limited amount of sites, we can assume that it will be between 2 to 10 sites.
> > Do you want to be able to communicate any-to-any? Or only from anyone to a datacenter?
> We wish to communicate any-to-any.
> > What architecture do you like to implement? A hub/spoke system would be the easiest.
> We were thinking of having a server act as an intermediary which the sites/hosts connect to. Perhaps this is what you meant by hub/spoke system?
> However, the architecture is not set in stone and we are open to any solution.
> Med vänlig hälsning/Regards
> Marwan Khalili
> Cell +46 704784722
> marwan.khalili at edgeguide.com
> EdgeGuide AB
> S:t Eriksgatan 26, SE-112 39 Stockholm, Sweden
> phone +46 84411690, fax +46 87204190
> edgeguide.com <http://www.edgeguide.com/>
EdgeGuide - Digital affärsutveckling<http://www.edgeguide.com/>
Lång erfarenhet av digitalisering i en mängd olika branscher parat med att vi är full-stack utvecklare. Med digital affärsutveckling menar vi på EdgeGuide att enväldefinierad metod för att för att identifiera och omsätta viktiga affärsscenarier i tekniska lösningar. Samtidigt överför vi kunskap om Office 365 som våra kunder kan ta vidare på egen hand.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190517/c0cf7528/attachment-0001.html>

More information about the Users mailing list