<div dir="ltr"><div><div><div>Hi, <br><br>I have about fifty roadwarriors that use my strongswan powered VPN proxy. I would like to assign static IP address (IPv4) to each roadwarrior that internally uses IKEv1 to tunnel their traffic through my server. <br>
<br>According to the documentation, the ipsec pool utility can be used for this purpose [ <a href="http://wiki.strongswan.org/projects/strongswan/wiki/IpsecPool">http://wiki.strongswan.org/projects/strongswan/wiki/IpsecPool</a> ]. I have the following questions about ipsec pool and assigning static IP addresses to these roadwarriors:<br>
<br>1) I would like to know if there are any other way apart from enabling attr-sql-plugin to maintain a static mapping between a roadwarrior clients identifier (credentials) and the IP address assigned to it by Strongswan server. <br>
</div></div><div>2) If I have to use the attr-sql-plugin will ipsec read all the configurations such as entries in the ipsec.conf, ipsec.secrets, and strongswan.conf from the respective files or do I have to move the entries present in these files to the database?<br>
3) I would like to know if I can dynamically add new entries, i.e, mapping between new roadwarriors and ip addresses to this file or any other file that can be used for this purpose, without restarting ipsec. I would like to know if ipsec rereadall shall do the trick if I add new entries to this file. <br>
</div><div><br>My ipsec.conf is as follows. I do not want to add a new conn entry for each roadwarrior. I tried this once, but it increased the connection establishment time. <br><br>config setup<br> # plutodebug="all"<br>
# crlcheckinterval=600<br> # strictcrlpolicy=yes<br> # cachecrls=yes<br> # nat_traversal=yes<br> # charonstart=yes<br> #plutostart=yes<br> #charondebug=4 # UNCOMMENT TO ENABLE DEBUGGING<br><br># Add connections here.<br>
<br># Sample VPN connections<br>conn mobile<br> compress=no<br> type=tunnel<br> auto=add<br> keyexchange=ikev1<br> authby=xauthrsasig<br> xauth=server<br> left=%defaultroute<br> leftid=@<my-server-hostname><br>
leftsourceip=10.11.101.101<br> # lefsourceip=%config<br> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> leftcert=<my-server-certificate><br> leftrsasigkey=%cert <br> right=%any<br> leftfirewall=yes<br>
rightsourceip=<a href="http://10.11.1.2/24">10.11.1.2/24</a><br> ikelifetime=999h<br> lifetime=985h<br> margintime=5h<br></div><br></div>Thanks and Regards,<br>Ashwin<br></div>