Project

General

Profile

Connecting Subnets Behind More Than Two Gateways

Connecting subnets behind two gateways is pretty straight forward. You just setup a connection between the two and define the subnets as local and remote traffic selectors (local|remote_ts in swanctl.conf, left|rightsubnet in ipsec.conf).

But let's say you have four gateways A, B C, and D, each connected to a local subnet (10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16, and 10.4.0.0/16, respectively) and want to connect the four subnets with each other.

There are basically two ways to do this (since all is based on IP, a mix of the two is also possible):

  • Hub and spoke: Connect two (or more) gateways to a central one. This requires one connection between each spoke and the the central hub (n - 1 connections for n gateways). So assuming A acts as hub that'd be connections A <-> B, A <-> C and A <-> D with extra subnets in the traffic selectors (or additional IPsec SAs if IKEv1 is used) for the subnets behind the spokes. For instance, for the connection between A and B you'd also include the subnets behind C and D, that is, on A you have local_ts=10.1.0.0/16,10.3.0.0/16,10.4.0.0/16 and remote_ts=10.2.0.0/16, and on B local_ts=10.2.0.0/16 and remote_ts=10.1.0.0/16,10.3.0.0/16,10.4.0.0/16 (analogous for the connections between A and C, and A and D). When using IKEv2 this could be simplified a bit by using narrowing and configuring remote_ts=0.0.0.0/0 on B, which the hub A could then narrow to the subnets it has configured as local_ts for this connection.
             +---+
      +------+ A +------+
      |      +-+-+      |
      |        |        |
    +-+-+    +-+-+    +-+-+
    | B |    | C |    | D |
    +---+    +---+    +---+
    

    This hub-and-spoke setup may also be used to connect subnets behind just two gateways via a third gateway, as is demonstrated by the swanctl/net2net-gw scenario.

  • Full mesh: This requires establishing connections between all of the four (or more) gateways (for n gateways that's n * (n - 1)/2 connections). So in the example above this requires six connections (A <-> B, A <-> C, A <-> D, B <-> C, B <-> D, C <-> D) and each connection exactly has one subnet in the local and remote traffic selector. For instance, for the connection between A and B you'd just configure remote_ts=10.1.0.0/16 on B because traffic to e.g. 10.3.0.0/16 is handled by the separate connection between B and C.
             +---+
      +------+ A +------+
      |      +-+-+      |
    +-+-+      |      +-+-+
    | B +------|------+ D |
    +-+-+      |      +-+-+
      |      +-+-+      |
      +------+ C +------+
             +---+