[strongSwan] ipsec detection on isc dhcpd

[Andreas Steffen]

So why don't let you assign the strongSwan VPN gateway assign the
virtual IP addresses out of a special large pool as in the following
scenario:

http://www.strongswan.org/uml/testresults/ikev2/ip-pool/

we know of some customers who are running more than 50'000 tunnels
with that approach. Internal DNS servers and other information can
also be assigned either via strongswan.conf and the attr plugin or
via an SQLite or MySQL database and the attr-sql plugin as in

http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/

Regards

Andreas

On 07/15/2011 04:59 AM, Christ Schlacta wrote:
> yes, I carefully examined both scanarios, however, both of them fail to
> autonomously identify "any ikev2 request" and require that identities or
> auto-generated MAC addresses be entered into dhcpd.conf ahead of time,
> which is just infeasible on a large scale.
> 
> On 7/14/2011 11:14, Andreas Steffen wrote:
>> Hello Christ,
>>
>> did you have a look at the following example scenarios which
>> use charon's dhcp plugin?
>>
>> http://www.strongswan.org/uml/testresults/ikev2/dhcp-static-client-id/
>>
>> http://www.strongswan.org/uml/testresults/ikev2/dhcp-static-mac/
>>
>> Regards
>>
>> Andreas
>>
>> On 07/14/2011 07:23 PM, Christ Schlacta wrote:
>>> I've dedicated an entire /23 to strongswan IKEv2 clients, and would like
>>> to be able to have charon query ISC dhcpd to acquire IP addressi and
>>> other parameters.  It would be nice if in addition, I could use a
>>> user-specified attribute of the IKEv2 identity as a hostname (for
>>> example, my certificates are configured such that cn=hostname).  it
>>> would also be nice if I could tell windows the connection specific dns
>>> suffix, which there seems to be no RFC to specify at present, that's a
>>> suggestion for future RFC refinements.
>>>
>>> I keep running into 2 problems an a minor issue:
>>>
>>> 1) the DHCP server never gets requests.  I've tried specifying
>>> 255.255.255.255 and the specific DHCP server address, and neither
>>> results in queries arriving at the DHCP server, which is on the same
>>> device as strongswan
>>> 2) I've reserved the address range with some subnet parameters, et al on
>>> the dhcp server, but have no generic way to match "this query has come
>>> from charon, so issue it an IP address from this pool".  there's no
>>> virtual device for charon, so I can't specify an IP address in the
>>> range, or similar, and I'm at a complete loss how to accomplish this
>>> now.
>>> 3) this is somewhat less.  there's no way to specify a certificate
>>> attribute as hostname or other, anything except the "ikev2 identity"
>>> can't be passed in the dhcp request insofar as I can identify.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==