Any input would be appreciated.
On 03/05/2018 05:25 PM, Info wrote: > > On 03/05/2018 12:13 PM, Info wrote: >> >> I'm looking to VPN every machine in a LAN. I infer that this would >> be something like a host-to-host config. >> >> I'll use swanctl/vici and x509 certs. >> >> I can't identify any configurations that seem right for this at >> >> https://www.strongswan.org/testing/testresults/swanctl/ >> >> Maybe? >> https://www.strongswan.org/testing/testresults/swanctl/ip-pool/index.html >> >> >> Also, there is a machine outside on the Internet which I'd like to >> join the party transparently. It's a mail server, so somehow I'd >> like its mail traffic to not be VPNed, but everything else to be. I >> guess this might be a roadwarrior with some kind of split for the >> mail ports. >> > > So my best idea, since IPSec is point-to-point, is to set up a 'hub > and spoke' config. IOW designate one machine as the hub and its > remote_addrs are IPs of the multiple other members of the LAN which > will be in the VPN. Or maybe just the CIDR/24 of the LAN. And all > the other members would point to the hub with their remote_addrs. The > hub would be a juicy target for attack though, and forwarding must be on. > > Of course the traffic selectors would be the CIDR/24 of the LAN, > although I haven't figured out how to include a remote machine in the > ts since its IP could change. Maybe I could use its resolvable domain > name, and DNAT it in through the firewall to the hub. But this > doesn't solve the problem of phones and tablets which change outside > IPs and don't have resolvable domain names. > > And what would 'remote' id= be in the hub? %any? > >
