[strongSwan] Static IP addresses to roadwarriors
Andreas Steffen
andreas.steffen at strongswan.org
Wed Aug 7 12:29:54 CEST 2013
Hello Ashwin,
On 08/07/2013 11:36 AM, Ashwin Rao wrote:
>
> I have about fifty roadwarriors that use my strongswan powered VPN
> proxy. I would like to assign static IP address (IPv4) to each
> roadwarrior that internally uses IKEv1 to tunnel their traffic through
> my server.
>
> According to the documentation, the ipsec pool utility can be used for
> this purpose [
> http://wiki.strongswan.org/projects/strongswan/wiki/IpsecPool ]. I have
> the following questions about ipsec pool and assigning static IP
> addresses to these roadwarriors:
>
> 1) I would like to know if there are any other way apart from enabling
> attr-sql-plugin to maintain a static mapping between a roadwarrior
> clients identifier (credentials) and the IP address assigned to it by
> Strongswan server.
The alternative introduced with strongSwan 5.0.3 is to store the static
IP addresses assigned to users on a RADIUS server. See
http://www.strongswan.org/uml/testresults/ikev2/rw-eap-framed-ip-radius/
> 2) If I have to use the attr-sql-plugin will ipsec read all the
> configurations such as entries in the ipsec.conf, ipsec.secrets, and
> strongswan.conf from the respective files or do I have to move the
> entries present in these files to the database?
No, you don't have to move the connection definitions from ipsec.conf
and the credentials from ipsec.secrets to the database, see
http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/
but you could:
http://www.strongswan.org/uml/testresults/sql/ip-pool-db/
> 3) I would like to know if I can dynamically add new entries, i.e,
> mapping between new roadwarriors and ip addresses to this file or any
> other file that can be used for this purpose, without restarting ipsec.
> I would like to know if ipsec rereadall shall do the trick if I add new
> entries to this file.
>
If you opt for the attr-sql or eap-radius solution then new entries in
the SQL database or on the RADIUS server, respectively, are available
immediately.
If you are assigning static IP addresses by adding connections in
ipsec.conf as in
http://www.strongswan.org/uml/testresults/ikev2/config-payload/
then you must execute
ipsec update
in order for them to become known to the charon daemon. Existing
connections will not be disrupted using ipsec update.
> My ipsec.conf is as follows. I do not want to add a new conn entry for
> each roadwarrior. I tried this once, but it increased the connection
> establishment time.
>
> config setup
> # plutodebug="all"
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # cachecrls=yes
> # nat_traversal=yes
> # charonstart=yes
> #plutostart=yes
> #charondebug=4 # UNCOMMENT TO ENABLE DEBUGGING
>
> # Add connections here.
>
> # Sample VPN connections
> conn mobile
> compress=no
> type=tunnel
> auto=add
> keyexchange=ikev1
> authby=xauthrsasig
> xauth=server
> left=%defaultroute
> leftid=@<my-server-hostname>
> leftsourceip=10.11.101.101
> # lefsourceip=%config
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> leftcert=<my-server-certificate>
> leftrsasigkey=%cert
> right=%any
> leftfirewall=yes
> rightsourceip=10.11.1.2/24 <http://10.11.1.2/24>
> ikelifetime=999h
> lifetime=985h
> margintime=5h
>
> Thanks and Regards,
> Ashwin
Regards
Andreas
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130807/b3dd0b5c/attachment.bin>
More information about the Users
mailing list