Connecting Subnets Behind More Than Two Gateways » History » Version 1
Tobias Brunner, 15.07.2016 18:46
| 1 | 1 | Tobias Brunner | h1. Connecting Subnets Behind More Than Two Gateways |
|---|---|---|---|
| 2 | 1 | Tobias Brunner | |
| 3 | 1 | Tobias Brunner | Connecting subnets behind two gateways is pretty straight forward. You just setup a connection between the two and define the subnets as local and remote traffic selectors (_local|remote_ts_ in [[swanctl.conf]], _left|rightsubnet_ in [[ipsec.conf]]). |
| 4 | 1 | Tobias Brunner | |
| 5 | 1 | Tobias Brunner | But let's say you have three gateways A, B and C, each connected to a local subnet (10.1.0.0/16, 10.2.0.0/16 and 10.3.0.0/16, respectively) and want to connect the three subnets with each other. |
| 6 | 1 | Tobias Brunner | |
| 7 | 1 | Tobias Brunner | There are basically two ways to do this: |
| 8 | 1 | Tobias Brunner | |
| 9 | 1 | Tobias Brunner | * **Hub and spoke**: Connect two (or more) gateways to the third central one. This requires one connection between each spoke and the the central hub (@n - 1@ connections for @n@ gateways). So assuming A acts as hub that'd be connections A <-> B and A <-> C with extra subnets in the traffic selectors (or additional IPsec SAs if IKEv1 is used) for the subnets behind the spokes. For instance, for the connection between A and B you'd include the subnet behind C, that is, on A you have _local_ts=10.1.0.0/16,10.3.0.0/16_ and _remote_ts=10.2.0.0/16_, and on B _local_ts=10.2.0.0/16_ and _remote_ts=10.1.0.0/16,10.3.0.0/16_ (analogous for the connection between A and C). |
| 10 | 1 | Tobias Brunner | |
| 11 | 1 | Tobias Brunner | <pre> |
| 12 | 1 | Tobias Brunner | +---+ |
| 13 | 1 | Tobias Brunner | +------+ A +------+ |
| 14 | 1 | Tobias Brunner | | +-+-+ | |
| 15 | 1 | Tobias Brunner | | | | |
| 16 | 1 | Tobias Brunner | +-+-+ +-+-+ +-+-+ |
| 17 | 1 | Tobias Brunner | | B | | C | | D | |
| 18 | 1 | Tobias Brunner | +---+ +---+ +---+ |
| 19 | 1 | Tobias Brunner | </pre> |
| 20 | 1 | Tobias Brunner | |
| 21 | 1 | Tobias Brunner | This hub-and-spoke setup may also be used to connect subnets behind just two gateways via a third gateway, as is demonstrated by the {{tc(swanctl/net2net-gw)}} scenario. |
| 22 | 1 | Tobias Brunner | * **Full mesh**: This requires establishing connections between all of the three (or more) gateways (for @n@ gateways that's @n * (n - 1)/2@ connections). So in the example above this requires three connections (A <-> B, A <-> C, B <-> C) and each connection exactly has one subnet in the local and remote traffic selector. For instance, for the connection between A and B you'd just configure _remote_ts=10.1.0.0/16_ on B because traffic to _10.3.0.0/16_ is handled by the separate connection between B and C. |
| 23 | 1 | Tobias Brunner | <pre> |
| 24 | 1 | Tobias Brunner | +---+ |
| 25 | 1 | Tobias Brunner | +------+ A +------+ |
| 26 | 1 | Tobias Brunner | | +-+-+ | |
| 27 | 1 | Tobias Brunner | +-+-+ | +-+-+ |
| 28 | 1 | Tobias Brunner | | B +------|------+ D | |
| 29 | 1 | Tobias Brunner | +-+-+ | +-+-+ |
| 30 | 1 | Tobias Brunner | | +-+-+ | |
| 31 | 1 | Tobias Brunner | +------+ C +------+ |
| 32 | 1 | Tobias Brunner | +---+ |
| 33 | 1 | Tobias Brunner | </pre> |