[strongSwan] DHCP over IPsec

Mark.Marwil at gdc4s.com Mark.Marwil at gdc4s.com
Mon May 23 22:55:42 CEST 2011


Andreas,

Thank you very much for the information.  I have one more question, when
using modeconfig to set the virtual ip, is it possible to send the
roadwarrior's hostname as part of the modeconfig request? 

The reason I ask is that my gateway is a Cisco ASA which does not
support IKEv2. The ASA is acting as a DHCP proxy, and I need to have the
roadwarrior's hostname in the DHCP request. If it is impossible to send
the hostname I will look into upgrading the ASA to a version that
supports IKEv2. 

Thank you,
Mark Marwil



-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Monday, May 23, 2011 12:10 PM
To: Marwil, Mark-P63354
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] DHCP over IPsec

Hi Mark,

strongSwan as a client does not support DHCP-over-IPsec as defined
by RFC 3456, although we introduced the left|rightprotoport
configuration option about 10 years ago to allow the setup of
short-lived DHCP SAs for 0.0.0.0/0  restricted to the bootps port on
a strongSwan gateway, successfully interoperating with the SSH
Sentinel client which at that time implemented RFC 3456. Later
on everyone abandoned DHCP-over-IPsec in favour of the IKEv2
configuration payload.

If you prefer a DHCP server to assign a virtual IP address to
your strongSwan client, we recommend to switch to IKEv2 and activate
the dhcp and farp plugins on a strongSwan gateway which will then act
as a DHCP proxy server. Have a look at the following example scenarios:

http://www.strongswan.org/uml/testresults45/ikev2/dhcp-dynamic/

http://www.strongswan.org/uml/testresults45/ikev2/dhcp-static-client-id

http://www.strongswan.org/uml/testresults45/ikev2/dhcp-static-mac/

Best regards

Andreas

On 05/23/2011 08:05 PM, Mark.Marwil at gdc4s.com wrote:
> All,
> 
>  
> 
> I would like to find out if the strongswan client on a roadwarrior
> supports obtaining a virtual ip address through dhcp over ipsec as
> defined by RFC 3456. 
> 
>  
> 
> I would like to set up the configuration described at
> http://www.strongswan.org/uml/testresults/ikev1/mode-config/index.html
> 
> But instead of carol using %modeconfig to get a leftsourceip, she gets
> it through dhcp.  Is this possible though a custom _updown script?
> 
>  
> 
> Thank you,
> 
> Mark Marwil

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list