Connecting Subnets Behind More Than Two Gateways¶
Connecting subnets behind two gateways is pretty straight forward. You just setup a connection between the two and define the subnets as local and remote traffic selectors (local|remote_ts in swanctl.conf, left|rightsubnet in ipsec.conf).
But let's say you have four gateways A, B C, and D, each connected to a local subnet (10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16, and 10.4.0.0/16, respectively) and want to connect the four subnets with each other.
There are basically two ways to do this (since all is based on IP, a mix of the two is also possible):
- Hub and spoke: Connect two (or more) gateways to a central one. This requires one connection between each spoke and the the central hub (
n - 1connections for
ngateways). So assuming A acts as hub that'd be connections A <-> B, A <-> C and A <-> D with extra subnets in the traffic selectors (or additional IPsec SAs if IKEv1 is used) for the subnets behind the spokes. For instance, for the connection between A and B you'd also include the subnets behind C and D, that is, on A you have local_ts=10.1.0.0/16,10.3.0.0/16,10.4.0.0/16 and remote_ts=10.2.0.0/16, and on B local_ts=10.2.0.0/16 and remote_ts=10.1.0.0/16,10.3.0.0/16,10.4.0.0/16 (analogous for the connections between A and C, and A and D). When using IKEv2 this could be simplified a bit by using narrowing and configuring remote_ts=0.0.0.0/0 on B, which the hub A could then narrow to the subnets it has configured as local_ts for this connection.
+---+ +------+ A +------+ | +-+-+ | | | | +-+-+ +-+-+ +-+-+ | B | | C | | D | +---+ +---+ +---+
This hub-and-spoke setup may also be used to connect subnets behind just two gateways via a third gateway, as is demonstrated by the swanctl/net2net-gw scenario.
- Full mesh: This requires establishing connections between all of the four (or more) gateways (for
n * (n - 1)/2connections). So in the example above this requires six connections (A <-> B, A <-> C, A <-> D, B <-> C, B <-> D, C <-> D) and each connection exactly has one subnet in the local and remote traffic selector. For instance, for the connection between A and B you'd just configure remote_ts=10.1.0.0/16 on B because traffic to e.g. 10.3.0.0/16 is handled by the separate connection between B and C.
+---+ +------+ A +------+ | +-+-+ | +-+-+ | +-+-+ | B +------|------+ D | +-+-+ | +-+-+ | +-+-+ | +------+ C +------+ +---+