[strongSwan] IKEv1 and IP pools

[Peter Sagerson]

I'm working on setting up a strongSwan server to support a large number of clients (including Apple iOS, so I'm stuck with IKEv1). I've crossed a number of hurdles and have individual connections working fine, but I'm currently stuck on virtual IPs. There seems to be contradictory information regarding this, although it's not looking good. The wiki page on virtual IPs[1] is a little coy, but certainly seems to suggest that IP pools are a charon-only feature. This list message from Feb 2009[2] seems to confirm it quite clearly. But then this subsequent message from Sep 2010[3] states "IKEv1 with IP pools:  strongSwan is the only choice!".

So just to be clear, let's say I want to support a large number of IKEv1 clients (think thousands of iPhones) with XAUTH/RSA. Is there any practical way to do this with strongSwan? The pessimistic interpretation of the available information suggests that I would have to produce a unique RSA identity, regenerate a massive ipsec.conf, and restart the server every time I wanted to add an authorized device. (Note that XAUTH is sufficient for my authorization policies; the RSA identifies have no value in this regard). Is there a better way? I'm currently using strongSwan 4.3.2 on Ubuntu 10.04, although that's not set in stone.

Thanks,
Peter


[1] http://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
[2] https://lists.strongswan.org/pipermail/users/2009-February/003140.html
[3] https://lists.strongswan.org/pipermail/users/2010-September/005293.html