[strongSwan] IKEv1 and IP pools

Peter Sagerson psagers at ignorare.net
Tue Feb 14 23:58:20 CET 2012


I'm working on setting up a strongSwan server to support a large number of clients (including Apple iOS, so I'm stuck with IKEv1). I've crossed a number of hurdles and have individual connections working fine, but I'm currently stuck on virtual IPs. There seems to be contradictory information regarding this, although it's not looking good. The wiki page on virtual IPs[1] is a little coy, but certainly seems to suggest that IP pools are a charon-only feature. This list message from Feb 2009[2] seems to confirm it quite clearly. But then this subsequent message from Sep 2010[3] states "IKEv1 with IP pools:  strongSwan is the only choice!".

So just to be clear, let's say I want to support a large number of IKEv1 clients (think thousands of iPhones) with XAUTH/RSA. Is there any practical way to do this with strongSwan? The pessimistic interpretation of the available information suggests that I would have to produce a unique RSA identity, regenerate a massive ipsec.conf, and restart the server every time I wanted to add an authorized device. (Note that XAUTH is sufficient for my authorization policies; the RSA identifies have no value in this regard). Is there a better way? I'm currently using strongSwan 4.3.2 on Ubuntu 10.04, although that's not set in stone.

Thanks,
Peter


[1] http://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
[2] https://lists.strongswan.org/pipermail/users/2009-February/003140.html
[3] https://lists.strongswan.org/pipermail/users/2010-September/005293.html



More information about the Users mailing list