[strongSwan] Idea for NATted hub-and-spoke Site-to-Site Usable Example

Nicholas Jenkins nick at notashutin.com
Sun Feb 23 05:25:07 CET 2020

I found the "Usable Example" documentation invaluable.

However.it overlooks a Site-to-Site scenario that I think could have
relevance: NATted hub-and-spoke.

How do we determine interest in, and if interest exists, how do we arrange
additional documentation for new "Usable Examples"?



I wanted to build a family network over site-to-site VPN.

               Why? Although I had Road-Warrior setup for last 2 years, I
recognized that if my family needed support for their WAP or Network
Printer, that this would be much easier with a routed (flat) network, rather
than only having access to their PC via Road-Warrior VPN.


               Design Constraints: I already had my home server exposed via
NAT-T/IKEv2 on the Internet to support Road-Warrior, but:

1.	I didn't want my family to have to expose any technology (computer
or router) on the Internet

a.	Fewer keys to manage
b.	Fewer points of ingress/egress to be compromised

2.	Although my ISP service is business-class, and thus not constrained,
their service is all residential, and could possibly be constrained from
hosting VPN services.

So, this would mean needing a computer inside their LAN, behind NATting
ISP-uplink router to initiate VPN connection back to my VPN. communication
may be bi-directional, but VPN session initiation would need to start at the
remote family sites (thus, NATted hub-and-spoke).


I noticed that all of the Site-to-Site scenarios assume ability to initiate
connection from either side (i.e. truly "peers"), and I don't think I saw
any addressing where 1 side was behind a NAT router (specifically a
different network appliance as the NAT router. not just the local device


I'm happy to provide documentation + config examples if there is interest?


Kind regards.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200222/9cbee4dd/attachment.html>

More information about the Users mailing list