[Swan] VPN setup

Darko Luketic info at icod.de
Mon Jan 19 22:57:46 EET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Paul,

thank you for this great, comprehenvise explanation, appreciate it.
Works well. Good throughput too, with 2 nodes at least, not tried with
more yet, but it shouldn't make much of a difference imho, since it's
host to host always. It's almost as if traffic isn't encrypted at all,
almost no overhead. *thumbs up*

On 01/19/2015 06:46 PM, Paul Wouters wrote:
> On Mon, 19 Jan 2015, Darko Luketic wrote:
> 
>> What I want is 2 (or more) servers to share the same private
>> subnet.
> 
> That can only be if there ARE in the same subnet. There is a big 
> difference between layers. If you want to build a distributed LAN,
> you need bridges and STP, not IP layer solutions.
> 
>> Let's take the 2 servers scenario for starters.
>> 
>> Both servers have 1 public ipv4 address and a /64 ipv6 prefix. 
>> Both servers should share the same private subnet. 10.0.0.0 s1
>> should have 10.0.0.1 s2 should have 10.0.0.2 (and likewise sX
>> should have 10.0.0.X for 4,6,8... servers)
> 
> If you just want each server to be able to talk to each other 
> server on a single IP, you can create IPsec tunnels for /32 subnets
> (or /64 subnets). If you think this setup will allow you to
> broadcast to 10.0.0.255 to reach all servers, than you need a
> bridge, not an IPsec server.
> 
> In this case, you will need to build one ipsec tunnel between each
> host. in your case of s1 to s2 this would be:
> 
>> conn s1s2 leftid=@s1 #does this need the fqdn?
> 
> Can be any unique string you want.
> 
>> left=publicIPv4_of_s1 leftrsasigkey=theleftkey_s1 rightid=@s2 #or
>> is this just an internal identifier?
> 
> Again, any unique string you want. Since FQDNs are unique, that's
> often used.
> 
>> right=publicIPv4_of_s2 rightrsasigkey=therightkey_s2 
>> authby=rsasig auto=add
> 
> And you need to add:
> 
> leftsubnet=10.0.0.1/32 rightsubnet=10.0.0.2/32
> 
>> 
>> And the next question is, let's say I expand those 2 servers to 3
>> ( because mongodb needs an arbiter, a 3rd server to decide who's
>> the primary and replica) and the 3rd server should be part of the
>> VPN as 10.0.0.3
>> 
>> What would the configuration look like?
> 
> You would need to create two tunnels on three hosts, eg:
> 
> on s1:  s1s2 and s1s3 on s2:  s1s2 and s2s3 on s3:  s1s3 and s2s3
> 
>> Do I need to assign the IPs before starting ipsec?
> 
> You don't need to have the IPs before you start, but if you want
> to receive or send packets then you need the IPs to be active.
> 
>> And what if I'd like one server to have both 10.0.0.3 and
>> 10.0.0.4?
> 
> You can use:
> 
> leftsubnets=10.0.0.1/32 rightsubnets=10.0.0.3/32,10.0.0.4/32
> 
> Paul
> 

- -- 
Best,

Darko
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJUvW/FAAoJENrR4EaH4PXFirsIAI7Xu2JSZ/qGKLcQfVJtBHsF
pvkdxPahfCUJ9J4Q0eBWGwcryrNAtBPjk6aXLcJeCERPF3nJ3VV8DM2RDJdcLGN7
n9fLZrozrR2NmWyJNCNcJbyPIm0g1jrtTV+DOolVIlC+Ld4eezMNrHZf/Vys+fUE
A5Kz7qntZPDLV4FhwFapb0QYVoOatfVdQZeWgBSKzt7aXW2hD3a8d9e9TN6GcTp6
5B8Kiode4SVgRa2FM4FYp8C1UOgNqxFFWLQvN56nVVjiWCgDIGWDDlrKNIf7aL7p
/+Q6ZBws1mTMhgq41jShvnh9B82Kk0vHCnYfGPQoXyCU2DVDkKzKApjCMaUJdmQ=
=XREp
-----END PGP SIGNATURE-----

More information about the Swan mailing list