[Swan] VPN setup

Paul Wouters paul at nohats.ca
Tue Jan 20 04:11:00 EET 2015


If speed matters, use esp=aes_gcm-null

Paul

Sent from my iPhone

> On Jan 19, 2015, at 15:57, Darko Luketic <info at icod.de> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Paul,
> 
> thank you for this great, comprehenvise explanation, appreciate it.
> Works well. Good throughput too, with 2 nodes at least, not tried with
> more yet, but it shouldn't make much of a difference imho, since it's
> host to host always. It's almost as if traffic isn't encrypted at all,
> almost no overhead. *thumbs up*
> 
>> On 01/19/2015 06:46 PM, Paul Wouters wrote:
>>> On Mon, 19 Jan 2015, Darko Luketic wrote:
>>> 
>>> What I want is 2 (or more) servers to share the same private
>>> subnet.
>> 
>> That can only be if there ARE in the same subnet. There is a big 
>> difference between layers. If you want to build a distributed LAN,
>> you need bridges and STP, not IP layer solutions.
>> 
>>> Let's take the 2 servers scenario for starters.
>>> 
>>> Both servers have 1 public ipv4 address and a /64 ipv6 prefix. 
>>> Both servers should share the same private subnet. 10.0.0.0 s1
>>> should have 10.0.0.1 s2 should have 10.0.0.2 (and likewise sX
>>> should have 10.0.0.X for 4,6,8... servers)
>> 
>> If you just want each server to be able to talk to each other 
>> server on a single IP, you can create IPsec tunnels for /32 subnets
>> (or /64 subnets). If you think this setup will allow you to
>> broadcast to 10.0.0.255 to reach all servers, than you need a
>> bridge, not an IPsec server.
>> 
>> In this case, you will need to build one ipsec tunnel between each
>> host. in your case of s1 to s2 this would be:
>> 
>>> conn s1s2 leftid=@s1 #does this need the fqdn?
>> 
>> Can be any unique string you want.
>> 
>>> left=publicIPv4_of_s1 leftrsasigkey=theleftkey_s1 rightid=@s2 #or
>>> is this just an internal identifier?
>> 
>> Again, any unique string you want. Since FQDNs are unique, that's
>> often used.
>> 
>>> right=publicIPv4_of_s2 rightrsasigkey=therightkey_s2 
>>> authby=rsasig auto=add
>> 
>> And you need to add:
>> 
>> leftsubnet=10.0.0.1/32 rightsubnet=10.0.0.2/32
>> 
>>> 
>>> And the next question is, let's say I expand those 2 servers to 3
>>> ( because mongodb needs an arbiter, a 3rd server to decide who's
>>> the primary and replica) and the 3rd server should be part of the
>>> VPN as 10.0.0.3
>>> 
>>> What would the configuration look like?
>> 
>> You would need to create two tunnels on three hosts, eg:
>> 
>> on s1:  s1s2 and s1s3 on s2:  s1s2 and s2s3 on s3:  s1s3 and s2s3
>> 
>>> Do I need to assign the IPs before starting ipsec?
>> 
>> You don't need to have the IPs before you start, but if you want
>> to receive or send packets then you need the IPs to be active.
>> 
>>> And what if I'd like one server to have both 10.0.0.3 and
>>> 10.0.0.4?
>> 
>> You can use:
>> 
>> leftsubnets=10.0.0.1/32 rightsubnets=10.0.0.3/32,10.0.0.4/32
>> 
>> Paul
> 
> - -- 
> Best,
> 
> Darko
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJUvW/FAAoJENrR4EaH4PXFirsIAI7Xu2JSZ/qGKLcQfVJtBHsF
> pvkdxPahfCUJ9J4Q0eBWGwcryrNAtBPjk6aXLcJeCERPF3nJ3VV8DM2RDJdcLGN7
> n9fLZrozrR2NmWyJNCNcJbyPIm0g1jrtTV+DOolVIlC+Ld4eezMNrHZf/Vys+fUE
> A5Kz7qntZPDLV4FhwFapb0QYVoOatfVdQZeWgBSKzt7aXW2hD3a8d9e9TN6GcTp6
> 5B8Kiode4SVgRa2FM4FYp8C1UOgNqxFFWLQvN56nVVjiWCgDIGWDDlrKNIf7aL7p
> /+Q6ZBws1mTMhgq41jShvnh9B82Kk0vHCnYfGPQoXyCU2DVDkKzKApjCMaUJdmQ=
> =XREp
> -----END PGP SIGNATURE-----


More information about the Swan mailing list