[strongSwan] ipsec detection on isc dhcpd

Andreas Steffen andreas.steffen at strongswan.org
Thu Jul 14 20:14:34 CEST 2011

Hello Christ,

did you have a look at the following example scenarios which
use charon's dhcp plugin?





On 07/14/2011 07:23 PM, Christ Schlacta wrote:
> I've dedicated an entire /23 to strongswan IKEv2 clients, and would like
> to be able to have charon query ISC dhcpd to acquire IP addressi and
> other parameters.  It would be nice if in addition, I could use a
> user-specified attribute of the IKEv2 identity as a hostname (for
> example, my certificates are configured such that cn=hostname).  it
> would also be nice if I could tell windows the connection specific dns
> suffix, which there seems to be no RFC to specify at present, that's a
> suggestion for future RFC refinements.
> I keep running into 2 problems an a minor issue:
> 1) the DHCP server never gets requests.  I've tried specifying
> and the specific DHCP server address, and neither
> results in queries arriving at the DHCP server, which is on the same
> device as strongswan
> 2) I've reserved the address range with some subnet parameters, et al on
> the dhcp server, but have no generic way to match "this query has come
> from charon, so issue it an IP address from this pool".  there's no
> virtual device for charon, so I can't specify an IP address in the
> range, or similar, and I'm at a complete loss how to accomplish this now.
> 3) this is somewhat less.  there's no way to specify a certificate
> attribute as hostname or other, anything except the "ikev2 identity"
> can't be passed in the dhcp request insofar as I can identify.

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list