If speed matters, use esp=aes_gcm-null Paul
Sent from my iPhone > On Jan 19, 2015, at 15:57, Darko Luketic <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Paul, > > thank you for this great, comprehenvise explanation, appreciate it. > Works well. Good throughput too, with 2 nodes at least, not tried with > more yet, but it shouldn't make much of a difference imho, since it's > host to host always. It's almost as if traffic isn't encrypted at all, > almost no overhead. *thumbs up* > >> On 01/19/2015 06:46 PM, Paul Wouters wrote: >>> On Mon, 19 Jan 2015, Darko Luketic wrote: >>> >>> What I want is 2 (or more) servers to share the same private >>> subnet. >> >> That can only be if there ARE in the same subnet. There is a big >> difference between layers. If you want to build a distributed LAN, >> you need bridges and STP, not IP layer solutions. >> >>> Let's take the 2 servers scenario for starters. >>> >>> Both servers have 1 public ipv4 address and a /64 ipv6 prefix. >>> Both servers should share the same private subnet. 10.0.0.0 s1 >>> should have 10.0.0.1 s2 should have 10.0.0.2 (and likewise sX >>> should have 10.0.0.X for 4,6,8... servers) >> >> If you just want each server to be able to talk to each other >> server on a single IP, you can create IPsec tunnels for /32 subnets >> (or /64 subnets). If you think this setup will allow you to >> broadcast to 10.0.0.255 to reach all servers, than you need a >> bridge, not an IPsec server. >> >> In this case, you will need to build one ipsec tunnel between each >> host. in your case of s1 to s2 this would be: >> >>> conn s1s2 leftid=@s1 #does this need the fqdn? >> >> Can be any unique string you want. >> >>> left=publicIPv4_of_s1 leftrsasigkey=theleftkey_s1 rightid=@s2 #or >>> is this just an internal identifier? >> >> Again, any unique string you want. Since FQDNs are unique, that's >> often used. >> >>> right=publicIPv4_of_s2 rightrsasigkey=therightkey_s2 >>> authby=rsasig auto=add >> >> And you need to add: >> >> leftsubnet=10.0.0.1/32 rightsubnet=10.0.0.2/32 >> >>> >>> And the next question is, let's say I expand those 2 servers to 3 >>> ( because mongodb needs an arbiter, a 3rd server to decide who's >>> the primary and replica) and the 3rd server should be part of the >>> VPN as 10.0.0.3 >>> >>> What would the configuration look like? >> >> You would need to create two tunnels on three hosts, eg: >> >> on s1: s1s2 and s1s3 on s2: s1s2 and s2s3 on s3: s1s3 and s2s3 >> >>> Do I need to assign the IPs before starting ipsec? >> >> You don't need to have the IPs before you start, but if you want >> to receive or send packets then you need the IPs to be active. >> >>> And what if I'd like one server to have both 10.0.0.3 and >>> 10.0.0.4? >> >> You can use: >> >> leftsubnets=10.0.0.1/32 rightsubnets=10.0.0.3/32,10.0.0.4/32 >> >> Paul > > - -- > Best, > > Darko > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJUvW/FAAoJENrR4EaH4PXFirsIAI7Xu2JSZ/qGKLcQfVJtBHsF > pvkdxPahfCUJ9J4Q0eBWGwcryrNAtBPjk6aXLcJeCERPF3nJ3VV8DM2RDJdcLGN7 > n9fLZrozrR2NmWyJNCNcJbyPIm0g1jrtTV+DOolVIlC+Ld4eezMNrHZf/Vys+fUE > A5Kz7qntZPDLV4FhwFapb0QYVoOatfVdQZeWgBSKzt7aXW2hD3a8d9e9TN6GcTp6 > 5B8Kiode4SVgRa2FM4FYp8C1UOgNqxFFWLQvN56nVVjiWCgDIGWDDlrKNIf7aL7p > /+Q6ZBws1mTMhgq41jShvnh9B82Kk0vHCnYfGPQoXyCU2DVDkKzKApjCMaUJdmQ= > =XREp > -----END PGP SIGNATURE----- _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
