[strongSwan] DHCP over IPsec
Andreas Steffen
andreas.steffen at strongswan.org
Mon May 23 21:09:32 CEST 2011
Hi Mark,
strongSwan as a client does not support DHCP-over-IPsec as defined
by RFC 3456, although we introduced the left|rightprotoport
configuration option about 10 years ago to allow the setup of
short-lived DHCP SAs for 0.0.0.0/0 restricted to the bootps port on
a strongSwan gateway, successfully interoperating with the SSH
Sentinel client which at that time implemented RFC 3456. Later
on everyone abandoned DHCP-over-IPsec in favour of the IKEv2
configuration payload.
If you prefer a DHCP server to assign a virtual IP address to
your strongSwan client, we recommend to switch to IKEv2 and activate
the dhcp and farp plugins on a strongSwan gateway which will then act
as a DHCP proxy server. Have a look at the following example scenarios:
http://www.strongswan.org/uml/testresults45/ikev2/dhcp-dynamic/
http://www.strongswan.org/uml/testresults45/ikev2/dhcp-static-client-id
http://www.strongswan.org/uml/testresults45/ikev2/dhcp-static-mac/
Best regards
Andreas
On 05/23/2011 08:05 PM, Mark.Marwil at gdc4s.com wrote:
> All,
>
>
>
> I would like to find out if the strongswan client on a roadwarrior
> supports obtaining a virtual ip address through dhcp over ipsec as
> defined by RFC 3456.
>
>
>
> I would like to set up the configuration described at
> http://www.strongswan.org/uml/testresults/ikev1/mode-config/index.html
>
> But instead of carol using %modeconfig to get a leftsourceip, she gets
> it through dhcp. Is this possible though a custom _updown script?
>
>
>
> Thank you,
>
> Mark Marwil
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list