Re: [strongSwan] Set up strongswan in hub-and-spoke topology
On 2015-04-01 22:55, Rajiv Kulkarni wrote: Hi Maybe the attached ipsec.conf files for Hub and spokes (2 spokes) would be useful. It worked for me nicely in my setup which is also attached PS: The attachment is a rar file (zipped using winrar) thanks regards rajiv On Sun, Mar 29, 2015 at 2:43 AM, Noel Kuntze n...@familie-kuntze.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Aleksey You need to define every net-to-net tunnel manually in ipsec.conf or swanctl.conf. The tunneled subnets for every spoke configuration on the hub would be leftsubnet=allOtherSpokeNetworks rightsubnet=SpokeNetwork On the spokes, the declaration would be the reverse of that. You can only use a host that is reachable on layer two as router for another host. So you cannot do that. You can, however, set the dscp value in the IP packets you want to be routed by the hub, for example, and use policy based routing on the hub to handle them in a special way. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 28.03.2015 um 16:12 schrieb unite: Hi guys! Is there a way to configure strongswan in a site-to-site hub-and-spoke topology, so for me to have for example strongswan hub in central office and having multiple spokes whose traffic between each other should be routed through the central office? I haven't found a guide on the net, so it would be very helpful for me if you can point me to the one, or just explain how can I configure my tunnels in such a way. Also, I guess pretty similar question, can I configure clients in spoke's network to use central office as a default gateway, so their traffic should be routed encrypted to the central office, then decrypted and sent to the receiver? Thnaks in advance. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVFxlwAAoJEDg5KY9j7GZYkjkQAIUuKF3re3g/hNjDaTvJ4kWs a72D4nJzFRKx+mkCIbSmZIgLD7SPYisX3Qrez5GQLuUp6kyR/+GyE71aUZmIG6zz vtlu2h3Ns6C7Ru6l+G/NOlJDVpJr4hp1p5QMr1aJpzkB0Ecb5T+uNaJiZNZ0BhXn bnKiYt+8dDVmcIeF6h313LIKrwFVFGlO7RasKNDKlzDBs66MB4fhCk3ZkgPQk8IE u0XWrBNfXBiiXk5DvND5gLzjWlPOZHDWYbffrV2STPxrjvcyGIaGd611D4u68jaq tS/L6nFo5qWL5nyEHb4iA2nCdJFLYLqQk94TEIJVhSNfjJU9lexpmRvjl9v2dd8+ J0E78ZLcm0kVkfcpKR0T7O099WRGCOGYMwUK8Sq9cFUConhFzMWAOgJrP/lo9sx8 LOstUcStDHIycJHbsqhHyNuZrCr/aDLJe3Ua7pkvYnObFopPUMPdmq8ScPDOGKO8 HQNf1pBX3zisU0UzPHMSqp7YUiqm39qwHOfU9O9C5pB6HPDnearzhZQxLy/wHA4S KC2etzL2dYtmUiGlqgVFNXFgWFxiTcGGTM/zLfJcuc1fovyqPQvZJsx6VCGMu6zx 32hWDkLnG8mgKaqpMPWQ9wZPAmkeKL1yLEAlx2mPfFOIDiym0pivHrYpQ0Wt+bFU 0DlJqnFIfStXutevJOGr =Eh3R -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users [1] Links: -- [1] https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users Thanks everyone, guys. I'll try configuring it in the next few dayыю -- With kind regards, Aleksey ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Set up strongswan in hub-and-spoke topology
Hi Maybe the attached ipsec.conf files for Hub and spokes (2 spokes) would be useful. It worked for me nicely in my setup which is also attached PS: The attachment is a rar file (zipped using winrar) thanks regards rajiv On Sun, Mar 29, 2015 at 2:43 AM, Noel Kuntze n...@familie-kuntze.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Aleksey You need to define every net-to-net tunnel manually in ipsec.conf or swanctl.conf. The tunneled subnets for every spoke configuration on the hub would be leftsubnet=allOtherSpokeNetworks rightsubnet=SpokeNetwork On the spokes, the declaration would be the reverse of that. You can only use a host that is reachable on layer two as router for another host. So you cannot do that. You can, however, set the dscp value in the IP packets you want to be routed by the hub, for example, and use policy based routing on the hub to handle them in a special way. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 28.03.2015 um 16:12 schrieb unite: Hi guys! Is there a way to configure strongswan in a site-to-site hub-and-spoke topology, so for me to have for example strongswan hub in central office and having multiple spokes whose traffic between each other should be routed through the central office? I haven't found a guide on the net, so it would be very helpful for me if you can point me to the one, or just explain how can I configure my tunnels in such a way. Also, I guess pretty similar question, can I configure clients in spoke's network to use central office as a default gateway, so their traffic should be routed encrypted to the central office, then decrypted and sent to the receiver? Thnaks in advance. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVFxlwAAoJEDg5KY9j7GZYkjkQAIUuKF3re3g/hNjDaTvJ4kWs a72D4nJzFRKx+mkCIbSmZIgLD7SPYisX3Qrez5GQLuUp6kyR/+GyE71aUZmIG6zz vtlu2h3Ns6C7Ru6l+G/NOlJDVpJr4hp1p5QMr1aJpzkB0Ecb5T+uNaJiZNZ0BhXn bnKiYt+8dDVmcIeF6h313LIKrwFVFGlO7RasKNDKlzDBs66MB4fhCk3ZkgPQk8IE u0XWrBNfXBiiXk5DvND5gLzjWlPOZHDWYbffrV2STPxrjvcyGIaGd611D4u68jaq tS/L6nFo5qWL5nyEHb4iA2nCdJFLYLqQk94TEIJVhSNfjJU9lexpmRvjl9v2dd8+ J0E78ZLcm0kVkfcpKR0T7O099WRGCOGYMwUK8Sq9cFUConhFzMWAOgJrP/lo9sx8 LOstUcStDHIycJHbsqhHyNuZrCr/aDLJe3Ua7pkvYnObFopPUMPdmq8ScPDOGKO8 HQNf1pBX3zisU0UzPHMSqp7YUiqm39qwHOfU9O9C5pB6HPDnearzhZQxLy/wHA4S KC2etzL2dYtmUiGlqgVFNXFgWFxiTcGGTM/zLfJcuc1fovyqPQvZJsx6VCGMu6zx 32hWDkLnG8mgKaqpMPWQ9wZPAmkeKL1yLEAlx2mPfFOIDiym0pivHrYpQ0Wt+bFU 0DlJqnFIfStXutevJOGr =Eh3R -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users strongswan-ipsec-hub-spoke-configs.rar Description: application/rar ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Set up strongswan in hub-and-spoke topology
On 2015-03-28 23:13, Noel Kuntze wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Aleksey You need to define every net-to-net tunnel manually in ipsec.conf or swanctl.conf. The tunneled subnets for every spoke configuration on the hub would be leftsubnet=allOtherSpokeNetworks rightsubnet=SpokeNetwork On the spokes, the declaration would be the reverse of that. You can only use a host that is reachable on layer two as router for another host. So you cannot do that. You can, however, set the dscp value in the IP packets you want to be routed by the hub, for example, and use policy based routing on the hub to handle them in a special way. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 28.03.2015 um 16:12 schrieb unite: Hi guys! Is there a way to configure strongswan in a site-to-site hub-and-spoke topology, so for me to have for example strongswan hub in central office and having multiple spokes whose traffic between each other should be routed through the central office? I haven't found a guide on the net, so it would be very helpful for me if you can point me to the one, or just explain how can I configure my tunnels in such a way. Also, I guess pretty similar question, can I configure clients in spoke's network to use central office as a default gateway, so their traffic should be routed encrypted to the central office, then decrypted and sent to the receiver? Thnaks in advance. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVFxlwAAoJEDg5KY9j7GZYkjkQAIUuKF3re3g/hNjDaTvJ4kWs a72D4nJzFRKx+mkCIbSmZIgLD7SPYisX3Qrez5GQLuUp6kyR/+GyE71aUZmIG6zz vtlu2h3Ns6C7Ru6l+G/NOlJDVpJr4hp1p5QMr1aJpzkB0Ecb5T+uNaJiZNZ0BhXn bnKiYt+8dDVmcIeF6h313LIKrwFVFGlO7RasKNDKlzDBs66MB4fhCk3ZkgPQk8IE u0XWrBNfXBiiXk5DvND5gLzjWlPOZHDWYbffrV2STPxrjvcyGIaGd611D4u68jaq tS/L6nFo5qWL5nyEHb4iA2nCdJFLYLqQk94TEIJVhSNfjJU9lexpmRvjl9v2dd8+ J0E78ZLcm0kVkfcpKR0T7O099WRGCOGYMwUK8Sq9cFUConhFzMWAOgJrP/lo9sx8 LOstUcStDHIycJHbsqhHyNuZrCr/aDLJe3Ua7pkvYnObFopPUMPdmq8ScPDOGKO8 HQNf1pBX3zisU0UzPHMSqp7YUiqm39qwHOfU9O9C5pB6HPDnearzhZQxLy/wHA4S KC2etzL2dYtmUiGlqgVFNXFgWFxiTcGGTM/zLfJcuc1fovyqPQvZJsx6VCGMu6zx 32hWDkLnG8mgKaqpMPWQ9wZPAmkeKL1yLEAlx2mPfFOIDiym0pivHrYpQ0Wt+bFU 0DlJqnFIfStXutevJOGr =Eh3R -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users Hi Noel! Thanks for your answer however I got a bit confused with it. So you meant that I can configure hub-and-spoke topology for routing between spoke's subnets but the second scenario in which all client traffic is first routed through the hub cannot be achieved using strongswan only - I need some complex PBR configurations on both hub and spoke I guess? -- With kind regards, Aleksey ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Set up strongswan in hub-and-spoke topology
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Aleksey, The problem of what you want to do is, that you can only use hosts as gateway, that you can reach directly on layer two. So you cannot do that over an IPsec tunnel. The way to make that happen is to mark the traffic, that you want to route, in a special way. Inside the netfilter stack, you can use marks for that. In between the physical hosts (on the ethernet wire), you could use another mac address to differentiate the packets. A way to implement that is by using a macvtap interface on top of your ethernet interface. The goal of all this is to enable all hosts to differentiate traffic that is to be handled in a special way. Mit freundlichen Grüßen/Regards, Noel Kuntze Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 30.03.2015 um 09:58 schrieb unite: On 2015-03-28 23:13, Noel Kuntze wrote: Hello Aleksey You need to define every net-to-net tunnel manually in ipsec.conf or swanctl.conf. The tunneled subnets for every spoke configuration on the hub would be leftsubnet=allOtherSpokeNetworks rightsubnet=SpokeNetwork On the spokes, the declaration would be the reverse of that. You can only use a host that is reachable on layer two as router for another host. So you cannot do that. You can, however, set the dscp value in the IP packets you want to be routed by the hub, for example, and use policy based routing on the hub to handle them in a special way. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 28.03.2015 um 16:12 schrieb unite: Hi guys! Is there a way to configure strongswan in a site-to-site hub-and-spoke topology, so for me to have for example strongswan hub in central office and having multiple spokes whose traffic between each other should be routed through the central office? I haven't found a guide on the net, so it would be very helpful for me if you can point me to the one, or just explain how can I configure my tunnels in such a way. Also, I guess pretty similar question, can I configure clients in spoke's network to use central office as a default gateway, so their traffic should be routed encrypted to the central office, then decrypted and sent to the receiver? Thnaks in advance. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users Hi Noel! Thanks for your answer however I got a bit confused with it. So you meant that I can configure hub-and-spoke topology for routing between spoke's subnets but the second scenario in which all client traffic is first routed through the hub cannot be achieved using strongswan only - I need some complex PBR configurations on both hub and spoke I guess? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVGVDSAAoJEDg5KY9j7GZYBt0P/3Wb7P25s1Y7LIFpNMVZDS74 tTpnsP5sKw6msqYsqVJ1WYqMC+1NOGdd4lZhsTKMZBljKrZ5KgtvL5nR5hO5i+GK suc/6nG5FkpQcbqQcCSvADBmmdTyQM2mDjDebctsDmALm9zmVhderpfO4HJGFhcH NabdOBpshUPodzNNFM01mQ6qyfrvtTNqYn1g60fV2bdUb0WZiFfwmncDtI7JzEzv sUck8hS3jUN9mTGOHrvr6o2DIdisTHu8jaGBJnyErMXauYPAB69sKAugzFR+aO8w 4CH9UoK7M8qymObauXDtc5qr2JPMR5mSX/+XMY/COIqjo8BzKjMXd9j3UiPJDgeQ zZ17T48M3GunzoWjzZ/KLje5yiORlz3B27IJbaQ6rI0yiZPTylhxIBAulLtIK7BO YLvWSJWdiQBPi0xtHSPKQ3pKB08MRSTlDildhoUMuvZ9dlaI085urHkHxNL4AtMi OOQ9o4hYX4dDE0y8oREmOfKyqtqLqxnewMb3RhyaeTTQ3VLdlzNmoS+Z7InXkOoG 5J3pP9+ExVVNduBUAaj1sRGLqvYPWFnP+oSsSljl12z0QR9j7Ytflt0nq5C/y5z3 rASyJhHfTv97YhO+c5grQcXQtzzmeIxgzCwLlFNRG8TyFPHvIFrQJ3CO/wY3AmWa cL2AFBWv+JvmRIkfLIDP =FKDK -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Set up strongswan in hub-and-spoke topology
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Aleksey You need to define every net-to-net tunnel manually in ipsec.conf or swanctl.conf. The tunneled subnets for every spoke configuration on the hub would be leftsubnet=allOtherSpokeNetworks rightsubnet=SpokeNetwork On the spokes, the declaration would be the reverse of that. You can only use a host that is reachable on layer two as router for another host. So you cannot do that. You can, however, set the dscp value in the IP packets you want to be routed by the hub, for example, and use policy based routing on the hub to handle them in a special way. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 28.03.2015 um 16:12 schrieb unite: Hi guys! Is there a way to configure strongswan in a site-to-site hub-and-spoke topology, so for me to have for example strongswan hub in central office and having multiple spokes whose traffic between each other should be routed through the central office? I haven't found a guide on the net, so it would be very helpful for me if you can point me to the one, or just explain how can I configure my tunnels in such a way. Also, I guess pretty similar question, can I configure clients in spoke's network to use central office as a default gateway, so their traffic should be routed encrypted to the central office, then decrypted and sent to the receiver? Thnaks in advance. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVFxlwAAoJEDg5KY9j7GZYkjkQAIUuKF3re3g/hNjDaTvJ4kWs a72D4nJzFRKx+mkCIbSmZIgLD7SPYisX3Qrez5GQLuUp6kyR/+GyE71aUZmIG6zz vtlu2h3Ns6C7Ru6l+G/NOlJDVpJr4hp1p5QMr1aJpzkB0Ecb5T+uNaJiZNZ0BhXn bnKiYt+8dDVmcIeF6h313LIKrwFVFGlO7RasKNDKlzDBs66MB4fhCk3ZkgPQk8IE u0XWrBNfXBiiXk5DvND5gLzjWlPOZHDWYbffrV2STPxrjvcyGIaGd611D4u68jaq tS/L6nFo5qWL5nyEHb4iA2nCdJFLYLqQk94TEIJVhSNfjJU9lexpmRvjl9v2dd8+ J0E78ZLcm0kVkfcpKR0T7O099WRGCOGYMwUK8Sq9cFUConhFzMWAOgJrP/lo9sx8 LOstUcStDHIycJHbsqhHyNuZrCr/aDLJe3Ua7pkvYnObFopPUMPdmq8ScPDOGKO8 HQNf1pBX3zisU0UzPHMSqp7YUiqm39qwHOfU9O9C5pB6HPDnearzhZQxLy/wHA4S KC2etzL2dYtmUiGlqgVFNXFgWFxiTcGGTM/zLfJcuc1fovyqPQvZJsx6VCGMu6zx 32hWDkLnG8mgKaqpMPWQ9wZPAmkeKL1yLEAlx2mPfFOIDiym0pivHrYpQ0Wt+bFU 0DlJqnFIfStXutevJOGr =Eh3R -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users