[strongSwan] ipsec detection on isc dhcpd

Christ Schlacta lists at aarcane.org
Fri Jul 15 04:59:01 CEST 2011 

yes, I carefully examined both scanarios, however, both of them fail to 
autonomously identify "any ikev2 request" and require that identities or 
auto-generated MAC addresses be entered into dhcpd.conf ahead of time, 
which is just infeasible on a large scale.

On 7/14/2011 11:14, Andreas Steffen wrote:
> Hello Christ,
>
> did you have a look at the following example scenarios which
> use charon's dhcp plugin?
>
> http://www.strongswan.org/uml/testresults/ikev2/dhcp-static-client-id/
>
> http://www.strongswan.org/uml/testresults/ikev2/dhcp-static-mac/
>
> Regards
>
> Andreas
>
> On 07/14/2011 07:23 PM, Christ Schlacta wrote:
>> I've dedicated an entire /23 to strongswan IKEv2 clients, and would like
>> to be able to have charon query ISC dhcpd to acquire IP addressi and
>> other parameters.  It would be nice if in addition, I could use a
>> user-specified attribute of the IKEv2 identity as a hostname (for
>> example, my certificates are configured such that cn=hostname).  it
>> would also be nice if I could tell windows the connection specific dns
>> suffix, which there seems to be no RFC to specify at present, that's a
>> suggestion for future RFC refinements.
>>
>> I keep running into 2 problems an a minor issue:
>>
>> 1) the DHCP server never gets requests.  I've tried specifying
>> 255.255.255.255 and the specific DHCP server address, and neither
>> results in queries arriving at the DHCP server, which is on the same
>> device as strongswan
>> 2) I've reserved the address range with some subnet parameters, et al on
>> the dhcp server, but have no generic way to match "this query has come
>> from charon, so issue it an IP address from this pool".  there's no
>> virtual device for charon, so I can't specify an IP address in the
>> range, or similar, and I'm at a complete loss how to accomplish this now.
>> 3) this is somewhat less.  there's no way to specify a certificate
>> attribute as hostname or other, anything except the "ikev2 identity"
>> can't be passed in the dhcp request insofar as I can identify.
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

More information about the Users mailing list