[strongSwan] Can Strongswan initiator Install both initiator's and responder's virtual IP dynamically

[Y Q]

Hello,



I am setting up Strongswan (version 5.7.1) as an IKEv2 IPSec VPN initiator. The responder is a Cisco router. My goal is to get both initiator's virtual IP (tunnel IP) as well as responder's virtual IP (tunnel IP) dynamically through IPSec negotiation.


I see responder has sent both initiator's virtual IP and responder's virtual IP / subnet in IKEv2 configuration payload.



I can get intiator's virutal IP if I configure "leftsourceip=%config" in ipsec.conf. Tunnel is up successfully if I also explicitly specify rightsubnet with a valid IP subnet.



However I could not figure out how I can set ipsec.conf so that responder's virtual IP contained in the configuration payload can be parsed and installed on the initiator.

I have tried the following different configuration in ipsec.conf separately. But with each of them the CHILD_SA setup fails:

rightsourceip=%config

rightsubnet=%config

rightsubnet=%dynamic

Strongswan Virtual IP wiki (https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp) has stated the following:

strongSwan currently implements one scenario with IKEv2 configuration payloads, where an IP address is assigned to the initiator (since 5.0.1 multiple addresses can be assigned from multiple pools). The opposite is possible by the protocol, but is an uncommon setup and therefore not supported.

So looks like Strongswan currently does not support the scenario where an initiator can get BOTH initiator's and responder's virtual IP though tunnel negotiation?

Regards,
Yanping
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200506/925d5c5b/attachment.html>