[strongSwan] Static IP addresses to roadwarriors
martin at strongswan.org
Wed Aug 7 12:25:05 CEST 2013
> 1) I would like to know if there are any other way apart from enabling
> attr-sql-plugin to maintain a static mapping between a roadwarrior clients
> identifier (credentials) and the IP address assigned to it by Strongswan
The in-memory pool configured with an explicit rightsourceip reassigns
leases while charon is running, but a static assignment is not possible.
Leases are not stored on disk, so after a restart these leases are gone.
Both the dhcp and the eap-radius plugin can provide virtual IP addresses
as well. Both use a third party server (DHCP or RADIUS) to manage
leases, so it might be possible to keep them static.
The simplest solution is probably using the attr-sql plugin.
> 2) If I have to use the attr-sql-plugin will ipsec read all the
> configurations such as entries in the ipsec.conf, ipsec.secrets, and
> strongswan.conf from the respective files or do I have to move the entries
> present in these files to the database?
attr-sql provides virtual IPs and other IKE attributes only. You'll
still need the ipsec.conf configuration, just replace rightsourceip to
point to the named pool provided by your database.
There is the sql plugin that would allow you to store full
configurations in a database, but there is currently no convenient
frontend to fill the database.
> 3) I would like to know if I can dynamically add new entries, i.e, mapping
> between new roadwarriors and ip addresses to this file or any other file
> that can be used for this purpose, without restarting ipsec. I would like
> to know if ipsec rereadall shall do the trick if I add new entries to this
You can add entries dynamically during runtime, no restart required.
However, active tunnels are not affected from changes to the database.
"rereadall" is not required after updating the database; this command
has no effects on the attr-sql plugin.
More information about the Users