[strongSwan] Static IP addresses to roadwarriors
Ashwin Rao
ashwin.shirvanthe at gmail.com
Wed Aug 7 11:36:06 CEST 2013
Hi,
I have about fifty roadwarriors that use my strongswan powered VPN proxy. I
would like to assign static IP address (IPv4) to each roadwarrior that
internally uses IKEv1 to tunnel their traffic through my server.
According to the documentation, the ipsec pool utility can be used for this
purpose [ http://wiki.strongswan.org/projects/strongswan/wiki/IpsecPool ].
I have the following questions about ipsec pool and assigning static IP
addresses to these roadwarriors:
1) I would like to know if there are any other way apart from enabling
attr-sql-plugin to maintain a static mapping between a roadwarrior clients
identifier (credentials) and the IP address assigned to it by Strongswan
server.
2) If I have to use the attr-sql-plugin will ipsec read all the
configurations such as entries in the ipsec.conf, ipsec.secrets, and
strongswan.conf from the respective files or do I have to move the entries
present in these files to the database?
3) I would like to know if I can dynamically add new entries, i.e, mapping
between new roadwarriors and ip addresses to this file or any other file
that can be used for this purpose, without restarting ipsec. I would like
to know if ipsec rereadall shall do the trick if I add new entries to this
file.
My ipsec.conf is as follows. I do not want to add a new conn entry for each
roadwarrior. I tried this once, but it increased the connection
establishment time.
config setup
# plutodebug="all"
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=yes
#plutostart=yes
#charondebug=4 # UNCOMMENT TO ENABLE DEBUGGING
# Add connections here.
# Sample VPN connections
conn mobile
compress=no
type=tunnel
auto=add
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftid=@<my-server-hostname>
leftsourceip=10.11.101.101
# lefsourceip=%config
leftsubnet=0.0.0.0/0
leftcert=<my-server-certificate>
leftrsasigkey=%cert
right=%any
leftfirewall=yes
rightsourceip=10.11.1.2/24
ikelifetime=999h
lifetime=985h
margintime=5h
Thanks and Regards,
Ashwin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130807/8347b2e3/attachment.html>
More information about the Users
mailing list