On 2015-03-28 23:13, Noel Kuntze wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Aleksey
You need to define every net-to-net tunnel manually in ipsec.conf or
swanctl.conf.
The tunneled subnets for every spoke configuration on the hub would be
leftsubnet=allOtherSpokeNetworks
rightsubnet=SpokeNetwork
On the spokes, the declaration would be the reverse of that.
You can only use a host that is reachable on layer two as router for
another host.
So you cannot do that. You can, however, set the dscp value in the IP
packets you want to be routed by the hub, for example, and use policy
based routing on the hub to handle them in a special way.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 28.03.2015 um 16:12 schrieb unite:
Hi guys!
Is there a way to configure strongswan in a site-to-site hub-and-spoke
topology, so for me to have for example strongswan hub in central
office and having multiple spokes whose traffic between each other
should be routed through the central office? I haven't found a guide
on the net, so it would be very helpful for me if you can point me to
the one, or just explain how can I configure my tunnels in such a way.
Also, I guess pretty similar question, can I configure clients in
spoke's network to use central office as a default gateway, so their
traffic should be routed encrypted to the central office, then
decrypted and sent to the receiver?
Thnaks in advance.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVFxlwAAoJEDg5KY9j7GZYkjkQAIUuKF3re3g/hNjDaTvJ4kWs
a72D4nJzFRKx+mkCIbSmZIgLD7SPYisX3Qrez5GQLuUp6kyR/+GyE71aUZmIG6zz
vtlu2h3Ns6C7Ru6l+G/NOlJDVpJr4hp1p5QMr1aJpzkB0Ecb5T+uNaJiZNZ0BhXn
bnKiYt+8dDVmcIeF6h313LIKrwFVFGlO7RasKNDKlzDBs66MB4fhCk3ZkgPQk8IE
u0XWrBNfXBiiXk5DvND5gLzjWlPOZHDWYbffrV2STPxrjvcyGIaGd611D4u68jaq
tS/L6nFo5qWL5nyEHb4iA2nCdJFLYLqQk94TEIJVhSNfjJU9lexpmRvjl9v2dd8+
J0E78ZLcm0kVkfcpKR0T7O099WRGCOGYMwUK8Sq9cFUConhFzMWAOgJrP/lo9sx8
LOstUcStDHIycJHbsqhHyNuZrCr/aDLJe3Ua7pkvYnObFopPUMPdmq8ScPDOGKO8
HQNf1pBX3zisU0UzPHMSqp7YUiqm39qwHOfU9O9C5pB6HPDnearzhZQxLy/wHA4S
KC2etzL2dYtmUiGlqgVFNXFgWFxiTcGGTM/zLfJcuc1fovyqPQvZJsx6VCGMu6zx
32hWDkLnG8mgKaqpMPWQ9wZPAmkeKL1yLEAlx2mPfFOIDiym0pivHrYpQ0Wt+bFU
0DlJqnFIfStXutevJOGr
=Eh3R
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Noel!
Thanks for your answer however I got a bit confused with it. So you
meant that I can configure hub-and-spoke topology for routing between
spoke's subnets but the second scenario in which all client traffic is
first routed through the hub cannot be achieved using strongswan only -
I need some complex PBR configurations on both hub and spoke I guess?
--
With kind regards,
Aleksey
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users