[strongSwan] ipsec detection on isc dhcpd

Christ Schlacta lists at aarcane.org
Fri Jul 15 06:02:25 CEST 2011

I'm using this now, but there are some attributes that attr won't send 
that 1) I'm hoping DHCP will, (connection specific DNS suffix, which 
allows hostname to resolve instead of hostname.example.com) and 2) farp 
doesn't seem to be working for me without dhcp, nor does routing of any 
sort, and I'm hoping that using dhcp will fix that.  I may post 
regarding that issue if more research doesn't let me enable proper 
two-way communications.

On 7/14/2011 20:51, Andreas Steffen wrote:
> So why don't let you assign the strongSwan VPN gateway assign the
> virtual IP addresses out of a special large pool as in the following
> scenario:
> http://www.strongswan.org/uml/testresults/ikev2/ip-pool/
> we know of some customers who are running more than 50'000 tunnels
> with that approach. Internal DNS servers and other information can
> also be assigned either via strongswan.conf and the attr plugin or
> via an SQLite or MySQL database and the attr-sql plugin as in
> http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/
> Regards
> Andreas
> On 07/15/2011 04:59 AM, Christ Schlacta wrote:
>> yes, I carefully examined both scanarios, however, both of them fail to
>> autonomously identify "any ikev2 request" and require that identities or
>> auto-generated MAC addresses be entered into dhcpd.conf ahead of time,
>> which is just infeasible on a large scale.
>> On 7/14/2011 11:14, Andreas Steffen wrote:
>>> Hello Christ,
>>> did you have a look at the following example scenarios which
>>> use charon's dhcp plugin?
>>> http://www.strongswan.org/uml/testresults/ikev2/dhcp-static-client-id/
>>> http://www.strongswan.org/uml/testresults/ikev2/dhcp-static-mac/
>>> Regards
>>> Andreas
>>> On 07/14/2011 07:23 PM, Christ Schlacta wrote:
>>>> I've dedicated an entire /23 to strongswan IKEv2 clients, and would like
>>>> to be able to have charon query ISC dhcpd to acquire IP addressi and
>>>> other parameters.  It would be nice if in addition, I could use a
>>>> user-specified attribute of the IKEv2 identity as a hostname (for
>>>> example, my certificates are configured such that cn=hostname).  it
>>>> would also be nice if I could tell windows the connection specific dns
>>>> suffix, which there seems to be no RFC to specify at present, that's a
>>>> suggestion for future RFC refinements.
>>>> I keep running into 2 problems an a minor issue:
>>>> 1) the DHCP server never gets requests.  I've tried specifying
>>>> and the specific DHCP server address, and neither
>>>> results in queries arriving at the DHCP server, which is on the same
>>>> device as strongswan
>>>> 2) I've reserved the address range with some subnet parameters, et al on
>>>> the dhcp server, but have no generic way to match "this query has come
>>>> from charon, so issue it an IP address from this pool".  there's no
>>>> virtual device for charon, so I can't specify an IP address in the
>>>> range, or similar, and I'm at a complete loss how to accomplish this
>>>> now.
>>>> 3) this is somewhat less.  there's no way to specify a certificate
>>>> attribute as hostname or other, anything except the "ikev2 identity"
>>>> can't be passed in the dhcp request insofar as I can identify.
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

More information about the Users mailing list