[Swan] VPN setup

Darko Luketic info at icod.de
Mon Jan 19 22:57:46 EET 2015

Hash: SHA256


thank you for this great, comprehenvise explanation, appreciate it.
Works well. Good throughput too, with 2 nodes at least, not tried with
more yet, but it shouldn't make much of a difference imho, since it's
host to host always. It's almost as if traffic isn't encrypted at all,
almost no overhead. *thumbs up*

On 01/19/2015 06:46 PM, Paul Wouters wrote:
> On Mon, 19 Jan 2015, Darko Luketic wrote:
>> What I want is 2 (or more) servers to share the same private
>> subnet.
> That can only be if there ARE in the same subnet. There is a big 
> difference between layers. If you want to build a distributed LAN,
> you need bridges and STP, not IP layer solutions.
>> Let's take the 2 servers scenario for starters.
>> Both servers have 1 public ipv4 address and a /64 ipv6 prefix. 
>> Both servers should share the same private subnet. s1
>> should have s2 should have (and likewise sX
>> should have 10.0.0.X for 4,6,8... servers)
> If you just want each server to be able to talk to each other 
> server on a single IP, you can create IPsec tunnels for /32 subnets
> (or /64 subnets). If you think this setup will allow you to
> broadcast to to reach all servers, than you need a
> bridge, not an IPsec server.
> In this case, you will need to build one ipsec tunnel between each
> host. in your case of s1 to s2 this would be:
>> conn s1s2 leftid=@s1 #does this need the fqdn?
> Can be any unique string you want.
>> left=publicIPv4_of_s1 leftrsasigkey=theleftkey_s1 rightid=@s2 #or
>> is this just an internal identifier?
> Again, any unique string you want. Since FQDNs are unique, that's
> often used.
>> right=publicIPv4_of_s2 rightrsasigkey=therightkey_s2 
>> authby=rsasig auto=add
> And you need to add:
> leftsubnet= rightsubnet=
>> And the next question is, let's say I expand those 2 servers to 3
>> ( because mongodb needs an arbiter, a 3rd server to decide who's
>> the primary and replica) and the 3rd server should be part of the
>> VPN as
>> What would the configuration look like?
> You would need to create two tunnels on three hosts, eg:
> on s1:  s1s2 and s1s3 on s2:  s1s2 and s2s3 on s3:  s1s3 and s2s3
>> Do I need to assign the IPs before starting ipsec?
> You don't need to have the IPs before you start, but if you want
> to receive or send packets then you need the IPs to be active.
>> And what if I'd like one server to have both and
> You can use:
> leftsubnets= rightsubnets=,
> Paul

- -- 

Version: GnuPG v2


More information about the Swan mailing list