[Swan] VPN setup
Michael Schwartzkopff
ms at sys4.de
Mon Jan 19 20:21:39 EET 2015
Am Montag, 19. Januar 2015, 13:41:14 schrieb Darko Luketic:
> Hello,
>
> I'm not sure if ipsec/libreswan is the way to go.
>
> What I want is 2 (or more) servers to share the same private subnet.
No. IPsec is a layer 3 protocol. You can connect two networks. What you are
lookting for is a layer2 tunnel over a layer3 network. I would suggest that
you have a look at
http://lartc.org/howto/lartc.tunnel.gre.html
Additionally you could (and perhaps you should) encrypt the traffic of the GRE
tunnel. Here IPsec and StrongS/WAN can help you.
> Let's take the 2 servers scenario for starters.
>
> Both servers have 1 public ipv4 address and a /64 ipv6 prefix.
> Both servers should share the same private subnet. 10.0.0.0
> s1 should have 10.0.0.1
> s2 should have 10.0.0.2
> (and likewise sX should have 10.0.0.X for 4,6,8... servers)
>
> I'm not sure where to start or what the configuration should be.
>
> I have created hostkeys on both
> s1s2.conf
> ###
> config setup
> protostack=netkey
>
> conn s1s2
> leftid=@s1 #does this need the fqdn?
> left=publicIPv4_of_s1
> leftrsasigkey=theleftkey_s1
> rightid=@s2 #or is this just an internal identifier?
> right=publicIPv4_of_s2
> rightrsasigkey=therightkey_s2
> authby=rsasig
> auto=add
> ###
>
> I'm not sure how to proceed next.
>
> So the end result should be something like:
> mongodb replicaset_s1s2 listen 10.0.0.1:27017 & 10.0.0.2:27017
> website1 service listen 10.0.0.1:10000 10.0.0.2:10000
> So I can have nginx listening on s1_public_IPs & s2_public_IPs
> and this should load balance to 10.0.0.1:10000 & 10.0.0.2:10000
> and those should likewise connect to 10.0.0.1:27017 & 10.0.0.2:27017
> so I don't need TLS overhead for DB connections.
> ^ this is just to visualize what I had in mind, so that it's clear why I
> need a specific subnet for each server
>
> And the next question is,
> let's say I expand those 2 servers to 3 ( because mongodb needs an
> arbiter, a 3rd server to decide who's the primary and replica)
> and the 3rd server should be part of the VPN as 10.0.0.3
Perhaps a loadbalancer is what you are looking for?
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the Swan
mailing list