Hi Martin, >> I've added some documentation [1]. > I read through the hub-and-spoke setup on the internet. Is my setup > actually a hub-and-spoke type? I connect from the gateways directly to > the internet and only the traffic to 192.68.0.0/16 is routed through > VPN.
What traffic you tunnel does not matter (i.e. if you use split-tunneling or tunnel all traffic to the hub) the topology is the same. > Also the text in [1] mentions A-C whereas the diagram shows A-D. Is > this on purpose? The diagrams show four hosts as I though that illustrates the difference between the two approaches a bit better (a full mesh with three hosts doesn't really illustrate the exponential increase in the number of required connections). >>> Out of curiosity, how would you configure the server and client if I >>> would like to add vpn-third subnet with 192.168.3.0? >> You'd just add that subnet to the list of remote traffic selectors on >> the clients and as local traffic selector on the server and the client > So this would (or could) result in the following traffic selectors? > > ## IPs: > Server IP = 192.168.0.1 > First GW = 192.168.1.0/24 > Second GW = 192.168.2.0/24 > Third GW = 192.168.3.0/24 > > ## Server.conf > conn vpn-first > rightsubnet = 192.168.1.0/24 > leftsubnet = 192.168.0.0/16 > > ## First-Gateway.conf > conn vpn-first > rightsubnet = 192.168.0.0/16 > leftsubnet = 192.168.1.0/24 You could do that but then you'd have to add a passthrough policy for 192.168.1.0/24 on the first gateway (otherwise it would tunnel that traffic too). Or just set leftsubnet=192.168.2.0/24,192.168.3.0/24 on the server in this config so the traffic selector gets narrowed and the first gateway only tunnels traffic for these two subnets. Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
