Project

General

Profile

Issue #3315

Does strongSwan support multiple pools?

Added by Dries Michiels 3 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Low
Category:
configuration
Affected version:
5.8.2
Resolution:
No change required

Description

I'm looking to configure everything dual stack in 2020 and wonder if strongSwan supports multiple pools for the same IP version.
My config is in attachments. The use case is to use a private-ipv6 pool for access control to my DNS server.
And a global-ipv6 pool for IPv6 access to the internet. The global-ipv6 pool is added with the use of a script using py-vici and dhcpcd.
It would help a lot if VPN clients that connect obtain both an IPv6 address from the private pool and one from the global pool.
Although at this moment I haven't been able to get this to work, so I'm thinking this might not be supported?

Thanks for shining some light on this.

swanctl.conf.txt (767 Bytes) swanctl.conf.txt swanctl config file Dries Michiels, 20.01.2020 20:54

History

#1 Updated by Noel Kuntze 3 months ago

  • Category changed from swanctl to configuration

Did you try configuring several IP addresses in the connections.<conn>.vips setting?
Also you can specify several pools just fine. I don't know about requesting multiple IP addresses of the same type though.

#2 Updated by Dries Michiels 2 months ago

Seems to me that a client is limited to one IP address per stack.

#3 Updated by Tobias Brunner 2 months ago

Seems to me that a client is limited to one IP address per stack.

So you decided not to try it then.

#4 Updated by Dries Michiels 2 months ago

Tobias Brunner wrote:

Seems to me that a client is limited to one IP address per stack.

So you decided not to try it then.

I did try with my configuration above using multiple pools. But then the client gets one IPv6 address (from the first IPv6 pool that was added). I did not yet try the vips setting as I'm confused what I would need to fill in there. Can it be a subnet? If I hardcode one fd00:0:0:1::/64 address how will it handle multiple clients?

From swanctl: Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all.

I'll try tonight with a fixed IPv6 address for the vips setting.

#5 Updated by Tobias Brunner 2 months ago

Did you read VirtualIP?

I did try with my configuration above using multiple pools. But then the client gets one IPv6 address (from the first IPv6 pool that was added).

Why should it get more than one if it requests only one? But the server will not assign IPs from different pools unless the first pool is full (you'd have to write your own plugin that assigns IP addresses if you want something like that).

#6 Updated by Dries Michiels 2 months ago

Tobias Brunner wrote:

Did you read VirtualIP?

I did try with my configuration above using multiple pools. But then the client gets one IPv6 address (from the first IPv6 pool that was added).

Why should it get more than one if it requests only one? But the server will not assign IPs from different pools unless the first pool is full (you'd have to write your own plugin that assigns IP addresses if you want something like that).

I did read that section and I now understand why it isn't working as I would expect.
So the only way to force this is through the clients itself for them to request multiple addresses. Or write my own server plugin. I'm not sure how I can change the "vips" setting on Windows and iOS clients, I"ll google around. Thanks for the info though.

#7 Updated by Tobias Brunner 2 months ago

  • Status changed from New to Feedback

I'm not sure how I can change the "vips" setting on Windows and iOS clients, I"ll google around.

You can't. These clients will only request and use one virtual IP address of each family. I guess the server could just send more addresses, but RFC 7296 states: "The responder MAY only send up to the number of addresses requested.", and these clients probably wouldn't know what to do with the additional addresses anyway.

#8 Updated by Dries Michiels 2 months ago

Tobias Brunner wrote:

I'm not sure how I can change the "vips" setting on Windows and iOS clients, I"ll google around.

You can't. These clients will only request and use one virtual IP address of each family. I guess the server could just send more addresses, but RFC 7296 states: "The responder MAY only send up to the number of addresses requested.", and these clients probably wouldn't know what to do with the additional addresses anyway.

Feel free to close this issue. Thank you for the feedback.

#9 Updated by Tobias Brunner 2 months ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF