[Swan] VPN setup

Darko Luketic info at icod.de
Mon Jan 19 14:41:14 EET 2015


Hello,

I'm not sure if ipsec/libreswan is the way to go.

What I want is 2 (or more) servers to share the same private subnet.

Let's take the 2 servers scenario for starters.

Both servers have 1 public ipv4 address and a /64 ipv6 prefix.
Both servers should share the same private subnet. 10.0.0.0
s1 should have 10.0.0.1
s2 should have 10.0.0.2
(and likewise sX should have 10.0.0.X for 4,6,8... servers)

I'm not sure where to start or what the configuration should be.

I have created hostkeys on both
s1s2.conf
###
config setup
        protostack=netkey

conn s1s2
        leftid=@s1 #does this need the fqdn?
        left=publicIPv4_of_s1
        leftrsasigkey=theleftkey_s1
        rightid=@s2 #or is this just an internal identifier?
        right=publicIPv4_of_s2
        rightrsasigkey=therightkey_s2
        authby=rsasig
        auto=add
###

I'm not sure how to proceed next.

So the end result should be something like:
mongodb replicaset_s1s2 listen 10.0.0.1:27017 & 10.0.0.2:27017
website1 service listen 10.0.0.1:10000 10.0.0.2:10000
So I can have nginx listening on s1_public_IPs & s2_public_IPs
and this should load balance to 10.0.0.1:10000 & 10.0.0.2:10000
and those should likewise connect to 10.0.0.1:27017 & 10.0.0.2:27017
so I don't need TLS overhead for DB connections.
^ this is just to visualize what I had in mind, so that it's clear why I
need a specific subnet for each server

And the next question is,
let's say I expand those 2 servers to 3 ( because mongodb needs an
arbiter, a 3rd server to decide who's the primary and replica)
and the 3rd server should be part of the VPN as 10.0.0.3

What would the configuration look like?
Do I need to assign the IPs before starting ipsec?
And what if I'd like one server to have both 10.0.0.3 and 10.0.0.4?

-- 
Best regards

Darko Luketic



More information about the Swan mailing list