[strongSwan] Static IP addresses to roadwarriors

Ashwin Rao ashwin.shirvanthe at gmail.com
Wed Aug 7 11:36:06 CEST 2013 

Hi,

I have about fifty roadwarriors that use my strongswan powered VPN proxy. I
would like to assign static IP address (IPv4) to each roadwarrior that
internally uses IKEv1 to tunnel their traffic through my server.

According to the documentation, the ipsec pool utility can be used for this
purpose [ http://wiki.strongswan.org/projects/strongswan/wiki/IpsecPool ].
I have the following questions about ipsec pool and assigning static IP
addresses to these roadwarriors:

1) I would like to know if there are any other way apart from enabling
attr-sql-plugin to maintain a static mapping between a roadwarrior clients
identifier (credentials) and the IP address assigned to it by Strongswan
server.
2) If I have to use the attr-sql-plugin will ipsec read all the
configurations such as entries in  the ipsec.conf, ipsec.secrets, and
strongswan.conf from the respective files or do I have to move the entries
present in these files to the database?
3) I would like to know if I can dynamically add new entries, i.e, mapping
between new roadwarriors and ip addresses to this file or any other file
that can be used for this purpose,  without restarting ipsec. I would like
to know if ipsec rereadall shall do the trick if I add new entries to this
file.

My ipsec.conf is as follows. I do not want to add a new conn entry for each
roadwarrior. I tried this once, but it increased the connection
establishment time.

config setup
    # plutodebug="all"
    # crlcheckinterval=600
    # strictcrlpolicy=yes
    # cachecrls=yes
    # nat_traversal=yes
    # charonstart=yes
    #plutostart=yes
    #charondebug=4 # UNCOMMENT TO ENABLE DEBUGGING

# Add connections here.

# Sample VPN connections
conn mobile
    compress=no
    type=tunnel
    auto=add
    keyexchange=ikev1
    authby=xauthrsasig
    xauth=server
    left=%defaultroute
    leftid=@<my-server-hostname>
    leftsourceip=10.11.101.101
    # lefsourceip=%config
    leftsubnet=0.0.0.0/0
    leftcert=<my-server-certificate>
    leftrsasigkey=%cert
    right=%any
    leftfirewall=yes
    rightsourceip=10.11.1.2/24
    ikelifetime=999h
    lifetime=985h
    margintime=5h

Thanks and Regards,
Ashwin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130807/8347b2e3/attachment.html>

More information about the Users mailing list