[strongSwan] Removing individual certs

2019-05-17 Thread Roee Agami 
Hi,
Is there a way to unload individual certs from strongswan?
All I see is ways to completely remove all of the configured certs.

Thanks.

Re: [strongSwan] Need advice on how to connect multiple sites and hosts to a VPN

2019-05-17 Thread Marwan Khalili 
Managed to solve this using the hub-spoke model. If anyone would happen to 
stumble upon this thread in need of further help, I found the following 
strongSwan article was useful:
https://wiki.strongswan.org/projects/strongswan/wiki/SubnetsBehindMoreThanTwoGateways.

As for using connmark, there are a few test examples (updown script available 
on github):
https://www.strongswan.org/testing/testresults/ikev2/host2host-transport-connmark/index.html
https://www.strongswan.org/testing/testresults/ikev2/nat-rw-mark/index.html

Regards
Marwan


From: Users  on behalf of Marwan Khalili 

Sent: Friday, April 26, 2019 11:11
To: Noel Kuntze; Michael Schwartzkopff; users@lists.strongswan.org
Subject: Re: [strongSwan] Need advice on how to connect multiple sites and 
hosts to a VPN


Hello,


Thank you for the advice! I am trying to puzzle out a few things:


For a fully meshed network, is it possible to connect two hosts without a 
public IP (e.g. home PCs)? Or are we restricted to a partial mesh in that case?


For the hub-spoke model, I'm thinking that we either have one of the gateways 
act as a hub for the network or we maintain separate servers that will solely 
be used as hubs.

However, if we maintain separate hub servers we will not be able to setup a 
distinct server for each intranet VPN as we have several customers and some of 
our customers wish to have multiple VPNs.

Is it possible to configure a hub to be used for several intranet VPNs in 
strongSwan without worrying about IP collisions? (Think two customers with 
separate VPNs, but using the same server as a hub). I have read about the 
connmark plugin but I am not sure if/how it is meant to be used for cases like 
this.


Regards


Marwan




From: Noel Kuntze 
Sent: Thursday, April 25, 2019 16:53
To: Marwan Khalili; Michael Schwartzkopff; users@lists.strongswan.org
Subject: Re: [strongSwan] Need advice on how to connect multiple sites and 
hosts to a VPN

Hello,

That's perfectly feasible with strongSwan. Details would need to be discussed 
in particular. E.g. regarding any needed ACLs.
It's possible to build a dynamic fully meshed network using an OpenNHRP 
compatible patched version of strongSwan. It requires some extra care though,
because it's evidently not maintained by upstream, but by Timo Teras of Alpine 
Linux.

The currently possible solution is either a manually configured mesh or a 
hub-spoke model, like Michael mentioned.
Meaning, there's a central site and all other sites connect to that central 
site to communicate with the others.
That evidently severely limits the available bandwidth and introduces a SPOF 
(Single Point Of Failure).

Kind regards

Noel

Am 25.04.19 um 16:26 schrieb Marwan Khalili:
> > How many sites / offices do you want to connect?
>
> It would be a limited amount of sites, we can assume that it will be between 
> 2 to 10 sites.
>
> > Do you want to be able to communicate any-to-any? Or only from anyone to a 
> > datacenter?
>
> We wish to communicate any-to-any.
>
> > What architecture do you like to implement? A hub/spoke system would be the 
> > easiest.
>
> We were thinking of having a server act as an intermediary which the 
> sites/hosts connect to. Perhaps this is what you meant by hub/spoke system?
>
> However, the architecture is not set in stone and we are open to any solution.
>
>
> Med vänlig hälsning/Regards
>
> Marwan Khalili
> Cell +46 704784722
> marwan.khal...@edgeguide.com
>
> EdgeGuide AB
> S:t Eriksgatan 26, SE-112 39 Stockholm, Sweden
> phone +46 84411690, fax +46 87204190
> edgeguide.com 
EdgeGuide - Digital affärsutveckling
www.edgeguide.com
Lång erfarenhet av digitalisering i en mängd olika branscher parat med att vi 
är full-stack utvecklare. Med digital affärsutveckling menar vi på EdgeGuide 
att enväldefinierad metod för att för att identifiera och omsätta viktiga 
affärsscenarier i tekniska lösningar. Samtidigt överför vi kunskap om Office 
365 som våra kunder kan ta vidare på egen hand.



>