[Swan] VPN setup
Paul Wouters
paul at nohats.ca
Tue Jan 20 04:11:00 EET 2015
If speed matters, use esp=aes_gcm-null
Paul
Sent from my iPhone
> On Jan 19, 2015, at 15:57, Darko Luketic <info at icod.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Paul,
>
> thank you for this great, comprehenvise explanation, appreciate it.
> Works well. Good throughput too, with 2 nodes at least, not tried with
> more yet, but it shouldn't make much of a difference imho, since it's
> host to host always. It's almost as if traffic isn't encrypted at all,
> almost no overhead. *thumbs up*
>
>> On 01/19/2015 06:46 PM, Paul Wouters wrote:
>>> On Mon, 19 Jan 2015, Darko Luketic wrote:
>>>
>>> What I want is 2 (or more) servers to share the same private
>>> subnet.
>>
>> That can only be if there ARE in the same subnet. There is a big
>> difference between layers. If you want to build a distributed LAN,
>> you need bridges and STP, not IP layer solutions.
>>
>>> Let's take the 2 servers scenario for starters.
>>>
>>> Both servers have 1 public ipv4 address and a /64 ipv6 prefix.
>>> Both servers should share the same private subnet. 10.0.0.0 s1
>>> should have 10.0.0.1 s2 should have 10.0.0.2 (and likewise sX
>>> should have 10.0.0.X for 4,6,8... servers)
>>
>> If you just want each server to be able to talk to each other
>> server on a single IP, you can create IPsec tunnels for /32 subnets
>> (or /64 subnets). If you think this setup will allow you to
>> broadcast to 10.0.0.255 to reach all servers, than you need a
>> bridge, not an IPsec server.
>>
>> In this case, you will need to build one ipsec tunnel between each
>> host. in your case of s1 to s2 this would be:
>>
>>> conn s1s2 leftid=@s1 #does this need the fqdn?
>>
>> Can be any unique string you want.
>>
>>> left=publicIPv4_of_s1 leftrsasigkey=theleftkey_s1 rightid=@s2 #or
>>> is this just an internal identifier?
>>
>> Again, any unique string you want. Since FQDNs are unique, that's
>> often used.
>>
>>> right=publicIPv4_of_s2 rightrsasigkey=therightkey_s2
>>> authby=rsasig auto=add
>>
>> And you need to add:
>>
>> leftsubnet=10.0.0.1/32 rightsubnet=10.0.0.2/32
>>
>>>
>>> And the next question is, let's say I expand those 2 servers to 3
>>> ( because mongodb needs an arbiter, a 3rd server to decide who's
>>> the primary and replica) and the 3rd server should be part of the
>>> VPN as 10.0.0.3
>>>
>>> What would the configuration look like?
>>
>> You would need to create two tunnels on three hosts, eg:
>>
>> on s1: s1s2 and s1s3 on s2: s1s2 and s2s3 on s3: s1s3 and s2s3
>>
>>> Do I need to assign the IPs before starting ipsec?
>>
>> You don't need to have the IPs before you start, but if you want
>> to receive or send packets then you need the IPs to be active.
>>
>>> And what if I'd like one server to have both 10.0.0.3 and
>>> 10.0.0.4?
>>
>> You can use:
>>
>> leftsubnets=10.0.0.1/32 rightsubnets=10.0.0.3/32,10.0.0.4/32
>>
>> Paul
>
> - --
> Best,
>
> Darko
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJUvW/FAAoJENrR4EaH4PXFirsIAI7Xu2JSZ/qGKLcQfVJtBHsF
> pvkdxPahfCUJ9J4Q0eBWGwcryrNAtBPjk6aXLcJeCERPF3nJ3VV8DM2RDJdcLGN7
> n9fLZrozrR2NmWyJNCNcJbyPIm0g1jrtTV+DOolVIlC+Ld4eezMNrHZf/Vys+fUE
> A5Kz7qntZPDLV4FhwFapb0QYVoOatfVdQZeWgBSKzt7aXW2hD3a8d9e9TN6GcTp6
> 5B8Kiode4SVgRa2FM4FYp8C1UOgNqxFFWLQvN56nVVjiWCgDIGWDDlrKNIf7aL7p
> /+Q6ZBws1mTMhgq41jShvnh9B82Kk0vHCnYfGPQoXyCU2DVDkKzKApjCMaUJdmQ=
> =XREp
> -----END PGP SIGNATURE-----
More information about the Swan
mailing list