Am Montag, 19. Januar 2015, 13:41:14 schrieb Darko Luketic: > Hello, > > I'm not sure if ipsec/libreswan is the way to go. > > What I want is 2 (or more) servers to share the same private subnet.
No. IPsec is a layer 3 protocol. You can connect two networks. What you are lookting for is a layer2 tunnel over a layer3 network. I would suggest that you have a look at http://lartc.org/howto/lartc.tunnel.gre.html Additionally you could (and perhaps you should) encrypt the traffic of the GRE tunnel. Here IPsec and StrongS/WAN can help you. > Let's take the 2 servers scenario for starters. > > Both servers have 1 public ipv4 address and a /64 ipv6 prefix. > Both servers should share the same private subnet. 10.0.0.0 > s1 should have 10.0.0.1 > s2 should have 10.0.0.2 > (and likewise sX should have 10.0.0.X for 4,6,8... servers) > > I'm not sure where to start or what the configuration should be. > > I have created hostkeys on both > s1s2.conf > ### > config setup > protostack=netkey > > conn s1s2 > leftid=@s1 #does this need the fqdn? > left=publicIPv4_of_s1 > leftrsasigkey=theleftkey_s1 > rightid=@s2 #or is this just an internal identifier? > right=publicIPv4_of_s2 > rightrsasigkey=therightkey_s2 > authby=rsasig > auto=add > ### > > I'm not sure how to proceed next. > > So the end result should be something like: > mongodb replicaset_s1s2 listen 10.0.0.1:27017 & 10.0.0.2:27017 > website1 service listen 10.0.0.1:10000 10.0.0.2:10000 > So I can have nginx listening on s1_public_IPs & s2_public_IPs > and this should load balance to 10.0.0.1:10000 & 10.0.0.2:10000 > and those should likewise connect to 10.0.0.1:27017 & 10.0.0.2:27017 > so I don't need TLS overhead for DB connections. > ^ this is just to visualize what I had in mind, so that it's clear why I > need a specific subnet for each server > > And the next question is, > let's say I expand those 2 servers to 3 ( because mongodb needs an > arbiter, a 3rd server to decide who's the primary and replica) > and the 3rd server should be part of the VPN as 10.0.0.3 Perhaps a loadbalancer is what you are looking for? Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
