Connecting Subnets Behind More Than Two Gateways » History » Version 2
Tobias Brunner, 20.07.2016 15:29
Updated the text to describe four hosts
| 1 | 1 | Tobias Brunner | h1. Connecting Subnets Behind More Than Two Gateways |
|---|---|---|---|
| 2 | 1 | Tobias Brunner | |
| 3 | 1 | Tobias Brunner | Connecting subnets behind two gateways is pretty straight forward. You just setup a connection between the two and define the subnets as local and remote traffic selectors (_local|remote_ts_ in [[swanctl.conf]], _left|rightsubnet_ in [[ipsec.conf]]). |
| 4 | 1 | Tobias Brunner | |
| 5 | 2 | Tobias Brunner | But let's say you have four gateways A, B C, and D, each connected to a local subnet (10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16, and 10.4.0.0/16, respectively) and want to connect the four subnets with each other. |
| 6 | 1 | Tobias Brunner | |
| 7 | 2 | Tobias Brunner | There are basically two ways to do this (since all is based on IP, a mix of the two is also possible): |
| 8 | 1 | Tobias Brunner | |
| 9 | 2 | Tobias Brunner | * **Hub and spoke**: Connect two (or more) gateways to a central one. This requires one connection between each spoke and the the central hub (@n - 1@ connections for @n@ gateways). So assuming A acts as hub that'd be connections A <-> B, A <-> C and A <-> D with extra subnets in the traffic selectors (or additional IPsec SAs if IKEv1 is used) for the subnets behind the spokes. For instance, for the connection between A and B you'd also include the subnets behind C and D, that is, on A you have _local_ts=10.1.0.0/16,10.3.0.0/16,10.4.0.0/16_ and _remote_ts=10.2.0.0/16_, and on B _local_ts=10.2.0.0/16_ and _remote_ts=10.1.0.0/16,10.3.0.0/16,10.4.0.0/16_ (analogous for the connections between A and C, and A and D). When using IKEv2 this could be simplified a bit by using narrowing and configuring _remote_ts=0.0.0.0/0_ on B, which the hub A could then narrow to the subnets it has configured as _local_ts_ for this connection. |
| 10 | 1 | Tobias Brunner | |
| 11 | 1 | Tobias Brunner | <pre> |
| 12 | 1 | Tobias Brunner | +---+ |
| 13 | 1 | Tobias Brunner | +------+ A +------+ |
| 14 | 1 | Tobias Brunner | | +-+-+ | |
| 15 | 1 | Tobias Brunner | | | | |
| 16 | 1 | Tobias Brunner | +-+-+ +-+-+ +-+-+ |
| 17 | 1 | Tobias Brunner | | B | | C | | D | |
| 18 | 1 | Tobias Brunner | +---+ +---+ +---+ |
| 19 | 1 | Tobias Brunner | </pre> |
| 20 | 1 | Tobias Brunner | |
| 21 | 1 | Tobias Brunner | This hub-and-spoke setup may also be used to connect subnets behind just two gateways via a third gateway, as is demonstrated by the {{tc(swanctl/net2net-gw)}} scenario. |
| 22 | 2 | Tobias Brunner | * **Full mesh**: This requires establishing connections between all of the four (or more) gateways (for @n@ gateways that's @n * (n - 1)/2@ connections). So in the example above this requires six connections (A <-> B, A <-> C, A <-> D, B <-> C, B <-> D, C <-> D) and each connection exactly has one subnet in the local and remote traffic selector. For instance, for the connection between A and B you'd just configure _remote_ts=10.1.0.0/16_ on B because traffic to e.g. _10.3.0.0/16_ is handled by the separate connection between B and C. |
| 23 | 1 | Tobias Brunner | <pre> |
| 24 | 1 | Tobias Brunner | +---+ |
| 25 | 1 | Tobias Brunner | +------+ A +------+ |
| 26 | 1 | Tobias Brunner | | +-+-+ | |
| 27 | 1 | Tobias Brunner | +-+-+ | +-+-+ |
| 28 | 1 | Tobias Brunner | | B +------|------+ D | |
| 29 | 1 | Tobias Brunner | +-+-+ | +-+-+ |
| 30 | 1 | Tobias Brunner | | +-+-+ | |
| 31 | 1 | Tobias Brunner | +------+ C +------+ |
| 32 | 1 | Tobias Brunner | +---+ |
| 33 | 1 | Tobias Brunner | </pre> |