You can see many articles on the Internet on how to establish an IPsec connection between two Linux servers.
But what if you have three or more servers, and they need to be connected to each other?
Things get a little (not much) complicated when you want to connect three or more servers via IPSec.
I will use strongSwan to establish the connection between servers.
Let’s observe the installation.
I have 3 servers; one in New York, one in London, and one in Frankfurt.
You must select a server as the main gateway. I will use the London server as the main gateway. Because it is physically located in the middle of both countries.
Public IP Address: 184.108.40.206
Private IP Address: 10.0.10.0
Public IP Address: 220.127.116.11
Private IP Address: 10.0.20.0
Public IP Address: 18.104.22.168
Private IP Address: 10.0.30.0
I will enable IP forwarding on the London server by running this command:
sysctl -w net.ipv4.ip_forward=1
I will install strongSwan on all servers:
apt install strongswan
I will configure strongSwan on the New York Server
/etc/ipsec.conf and add the following configuration to the file:
uniqueids = yes
rightsubnet , you need to specify which subnets you want to connect to from the New York server. I want the New York server to connect to the London and Frankfurt servers. I added the private IP addresses of these two servers’ to
Add a secret key to the
22.214.171.124 : PSK "add_some_longer_stuff_here"
The secret key must be the same on all servers but must have the Public IP address of the relevant server.
The configuration on the New York server is complete.
Follow the same steps for the Frankfurt server.
Configuration of the gateway server (London)
I will need to add a config block for each connection step to the /etc/ipsec.conf:
uniqueids = yes
Basically, the leftsubnet indicates which source IP range will be used for that connection block.
For example, in the london-frankfurt connection block, an IPSec connection will be established between London and Frankfurt. So when a network package reaches the London server, strongSwan will check the source IP address.
If the source IP address is 10.0.10.0/24 (London) or 10.0.20.0/24 (New York), traffic will be routed to the rightsubnet, which is 10.0.30.0/24 (Frankfurt)
If the source IP address is 10.0.10.0/24 (London) or 10.0.30.0/24 (Frankfurt), the traffic will be routed to the rightsubnet, which is 10.0.20.0/24 (New York)
Restart strongSwan on all servers and test the connection.
service strongswan-starter restart
The gateway server (London) can reach anywhere:
One of the client servers (New York) can reach all hosts:
Same for the Frankfurt server:
Please pay attention to RTT times.
Here is the screenshot covering all configurations: