[strongSwan] IKEv1 and IP pools

Tobias Brunner tobias at strongswan.org
Wed Feb 15 18:12:28 CET 2012


Hi Peter,

> The wiki page on virtual IPs[1] is a little coy, but
> certainly seems to suggest that IP pools are a charon-only feature.

How so?  Regarding IKEv1 it states "The feature set is similar to that
in IKEv2, but not all features are supported."

> This list message from Feb 2009[2] seems to confirm it quite clearly.

Well, that statement was written three years ago.  Granted the version
you are using (4.3.2) is not much newer and the above statement still
applies to it.  But a quick look into our changelog shows that support
for virtual IP pools for IKEv1 was added in 4.4.0 (May 2010).

> So just to be clear, let's say I want to support a large number of
> IKEv1 clients (think thousands of iPhones) with XAUTH/RSA. Is there
> any practical way to do this with strongSwan?  

You have to use a newer version, but then you should be able to use
rightsourceip=<net>/<bits> to define a subnet large enough to handle all
the clients.

Regards,
Tobias




More information about the Users mailing list