[strongSwan] how to config multiple specific virtual ips per road warrior on swanctl.conf?

Thu Jan 14 02:23:40 CET 2016

Hi,

if you want to explicitly assign a specific virtual IP to each client
then you could use an include statement in swanctl.conf which includes
the common parameters for each connection definition and define
specific single address poll for each roadwarrior as in the following
example I did for you:

  https://www.strongswan.org/testing/config-payload/swanctl/config-payload/

The common parameters are defined in /etc/swanctl/swanctl_base.conf:

      local_addrs  = 192.168.0.1

      local {
         auth = pubkey
         certs = moonCert.pem
         id = moon.strongswan.org
      }
      children {
         net {
            local_ts  = 10.1.0.0/16

            updown = /usr/local/libexec/ipsec/_updown iptables
            esp_proposals = aes128gcm128-modp3072
         }
      }
      version = 2
      proposals = aes128-sha256-modp3072

Best regards

Andreas

On 01/13/2016 09:31 AM, 陈 锐 wrote:
> hello,
> 
> 
> I got multiple road warriors to logon and get specific virtualip from
> strongswan. I have been successful got it works with charon/ipsec.conf.
> unfortunally, debian 8 have been move to systemd, so I have to change
> from ipsec.conf to swanctl.conf because of charon-systemd. the following
> is my ipsec.conf on strongswan gateway:
> 
> 
> 
> config setup
> #    uniqueids=never
> 
> #############################################
> # ikev2 road warrios pubkey template
> #############################################
> conn ikev2-rw-pub-template
>     keyexchange=ikev2
>     left=%defaultroute
>     leftauth=pubkey
>     #leftfirewall=yes
>     leftsubnet=0.0.0.0/0
>     leftcert=gw1.jklab.cert.pem
>     leftid=gateway1.jklab.qmcc
>     right=%any
>     rightauth=pubkey
>     auto=add
> 
> # ikev2 road warrios pubkey linux client
> conn ikev2-rw-pub-linux-ssTester
>     also=ikev2-rw-pub-template
>     #rightdns=192.168.5.12
>     rightsourceip=192.168.8.10
>     rightid="ssTester at jklab.qmcc"
> 
> # ikev2 road warrios pubkey windows7+ client
> conn ikev2-rw-pub-win7-chenrui
>     also=ikev2-rw-pub-template
>     ike=aes256-sha1-modp1024!
>     rekey=no
>     rightsourceip=192.168.8.2
>     rightid="OU=syharman, CN=chenrui at syharman.qmcc"
> 
> how to translate it to swanctl.conf?
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160114/14b817e0/attachment.bin>