[Swan] VPN setup

Paul Wouters paul at nohats.ca
Mon Jan 19 19:46:39 EET 2015

On Mon, 19 Jan 2015, Darko Luketic wrote:

> What I want is 2 (or more) servers to share the same private subnet.

That can only be if there ARE in the same subnet. There is a big
difference between layers. If you want to build a distributed
LAN, you need bridges and STP, not IP layer solutions.

> Let's take the 2 servers scenario for starters.
> Both servers have 1 public ipv4 address and a /64 ipv6 prefix.
> Both servers should share the same private subnet.
> s1 should have
> s2 should have
> (and likewise sX should have 10.0.0.X for 4,6,8... servers)

If you just want each server to be able to talk to each other
server on a single IP, you can create IPsec tunnels for /32
subnets (or /64 subnets). If you think this setup will allow
you to broadcast to to reach all servers, than you
need a bridge, not an IPsec server.

In this case, you will need to build one ipsec tunnel between
each host. in your case of s1 to s2 this would be:

> conn s1s2
>        leftid=@s1 #does this need the fqdn?

Can be any unique string you want.

>        left=publicIPv4_of_s1
>        leftrsasigkey=theleftkey_s1
>        rightid=@s2 #or is this just an internal identifier?

Again, any unique string you want. Since FQDNs are unique, that's often

>        right=publicIPv4_of_s2
>        rightrsasigkey=therightkey_s2
>        authby=rsasig
>        auto=add

And you need to add:


> And the next question is,
> let's say I expand those 2 servers to 3 ( because mongodb needs an
> arbiter, a 3rd server to decide who's the primary and replica)
> and the 3rd server should be part of the VPN as
> What would the configuration look like?

You would need to create two tunnels on three hosts, eg:

on s1:  s1s2 and s1s3
on s2:  s1s2 and s2s3
on s3:  s1s3 and s2s3

> Do I need to assign the IPs before starting ipsec?

You don't need to have the IPs before you start, but if you want to
receive or send packets then you need the IPs to be active.

> And what if I'd like one server to have both and

You can use:



More information about the Swan mailing list