Project

General

Profile

Issue #3535

How can i assign requested ip address to clients

Added by anusha george about 2 months ago. Updated 28 days ago.

Status:
Feedback
Priority:
Normal
Category:
configuration
Affected version:
5.9.0
Resolution:

Description

I am using Strongswan and connecting devices to Vpn server.
Now the server is assigning the virtual Ip's to each clients randomly.
I just want to know that, My client is requesting with a virtual Ip and is it possible to assign the same IP address to the client(If the ip is not assigned to any other users) ?

History

#1 Updated by P B about 2 months ago

I would like to chip in on this, since upgrading to Ubuntu 20.04 the attr-sql plugin is no longer working, same with ipsec pool command which I used before. Since I have only some clients I would do specific configurations in ipsec.conf with rightsourceip= set to individual ips. However I can't manage to get it working. Client iOS, Host 5.8.2

conn %default
        keyexchange=ikev2
        ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
        esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        rekey=no
        left=%any
        leftid=vpn.host
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        leftcert=vpnHostCert.pem
        right=%any
        rightdns=8.8.8.8,8.8.4.4

conn IPSec-IKEv2
        keyexchange=ikev2
        auto=add

conn IPSec-IKEv2-EAP
        also="IPSec-IKEv2" 
        rightauth=eap-tls
        eap_identity=%any

conn IPHONE1
        also="IPSec-IKEv2-EAP" 
        eap_identity="iphone1" 
        rightcert=IphoneCert1.pem
        rightsourceip=192.168.7.13

I've tried several ways of identifying the client to get it to switch over to IPHONE1 - however it stays at the generic part

Aug  5 16:46:21 HOST charon: 11[IKE] peer requested virtual IP %any
Aug  5 16:46:21 HOST charon: 11[IKE] no virtual IP found for %any requested by 'iphone1'

Edit:

My bad - the order seems to be important. After switching the conn IPSec-IKEv2-EAP and conn IPHONE1 it works.

Edit 2:
Ok, this seems to work with only 1 client - is there any other way to get different conn settings to work?

Edit 3:
besides eap_identity rightid=@iphone1 had to be set

#2 Updated by anusha george about 2 months ago

If i have the rightsourceip=10.10.0.5
on the vpn server, it assigns this ip to the requested device.But i cannot write it on Vpn server.Because i have sometime 100 clients.

#3 Updated by Tobias Brunner about 1 month ago

  • Category set to configuration
  • Status changed from New to Feedback

Edit 2:
Ok, this seems to work with only 1 client - is there any other way to get different conn settings to work?

Edit 3:
besides eap_identity rightid=@iphone1 had to be set

See #1057 for connection switching based on EAP identities.

But i cannot write it on Vpn server.Because i have sometime 100 clients.

Script and includes? Anyway, see VirtualIp for the current options to assign virtual IPs to clients.

#4 Updated by anusha george 28 days ago

Okay.I'm using %config and let the client decide the ip.

Now my doubt is if i choose %config, and i would like to define a dhcp range, then is that possible ?
or is it like either the %config or %dhcp on the rightsourceip field(if i understood correctly) ?.

#5 Updated by Tobias Brunner 28 days ago

Okay.I'm using %config and let the client decide the ip.

Note that this only work with compatible clients that are configured properly.

Now my doubt is if i choose %config, and i would like to define a dhcp range, then is that possible ?
or is it like either the %config or %dhcp on the rightsourceip field(if i understood correctly) ?.

As fallback? Or what do you mean? As documented, you can configure multiple backends.

#6 Updated by anusha george 28 days ago

As fallback? Or what do you mean? As documented, you can configure multiple backends.

I need specific static ip address for each client.So the client is requesting with the ip address, and server should assign the same Ip.For this i uses now rightsourceip=%config.

Also i have to use the dhcp range on the VPN server.So i changed rightsourceip=%dhcp.Or can you may be give an example to configure this on dhcp plugin?
My config:
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=never

conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=vpn-ip-address
leftcert=server-cert.pem # reads the VPN server cert in /etc/ipsec.d/certs
leftsendcert=always
leftsubnet=0.0.0.0/0
leftfirewall=no
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity="%identity"
rightsourceip=%dhcp # IP address Pool to be assigned to the clients

#7 Updated by Tobias Brunner 28 days ago

I need specific static ip address for each client.So the client is requesting with the ip address, and server should assign the same Ip.For this i uses now rightsourceip=%config.

Also i have to use the dhcp range on the VPN server.

What has one to do with the other? You either let the clients chose their virtual IPs (if the clients support this), but this could be prone to issues like duplicate IPs. Or you assign the virtual IPs from the server.

So i changed rightsourceip=%dhcp.Or can you may be give an example to configure this on dhcp plugin?

You can configure your plugin and the DHCP server so virtual IPs are assigned based on the client identities (there are examples in our test suite).

Also available in: Atom PDF