Virtual IP » History » Version 6
Martin Willi, 18.04.2008 15:07
| 1 | 1 | Martin Willi | |
|---|---|---|---|
| 2 | 6 | Martin Willi | h1. Virtual IP |
| 3 | 1 | Martin Willi | |
| 4 | 1 | Martin Willi | |
| 5 | 6 | Martin Willi | IKEv1 and IKEv2 both know the concept of _virtual IPs_. This means that the initiator (or even the responder) requests an additional IP address from the peer to use as inner IPsec tunnel address. |
| 6 | 1 | Martin Willi | |
| 7 | 6 | Martin Willi | In IKEv1, virtual IPs are exchanged using the _mode config_ extension. IKEv2 has full support for virtual IPs in the core standard using _configuration payloads_. |
| 8 | 6 | Martin Willi | |
| 9 | 6 | Martin Willi | |
| 10 | 6 | Martin Willi | h2. IKEv1 |
| 11 | 6 | Martin Willi | |
| 12 | 6 | Martin Willi | |
| 13 | 6 | Martin Willi | |
| 14 | 6 | Martin Willi | h2. IKEv2 |
| 15 | 6 | Martin Willi | |
| 16 | 1 | Martin Willi | strongSwan currently implements one scenario with configuration payload, where an IP address is assigned to the initiator. The opposite is possible by the protocol, but is a uncommon setup and therefore not supported. |
| 17 | 1 | Martin Willi | |
| 18 | 1 | Martin Willi | |
| 19 | 6 | Martin Willi | h3. Initiator Configuration |
| 20 | 6 | Martin Willi | |
| 21 | 6 | Martin Willi | The client needs an additional parameter called the _leftsourceip_. |
| 22 | 6 | Martin Willi | |
| 23 | 6 | Martin Willi | <pre> |
| 24 | 1 | Martin Willi | leftsourceip=%config |
| 25 | 6 | Martin Willi | </pre> |
| 26 | 6 | Martin Willi | _%config_ means to request an address from the responder and is an alias for the IKEv1 specific _%modecfg_. But you may specify an address explicitly by setting: |
| 27 | 6 | Martin Willi | <pre> |
| 28 | 1 | Martin Willi | leftsourceip=10.3.0.5 |
| 29 | 6 | Martin Willi | </pre> |
| 30 | 6 | Martin Willi | This will include _10.3.0.5_ into the configuration payload request. However, the responder may return an other address, or may not return one at all. |
| 31 | 1 | Martin Willi | |
| 32 | 6 | Martin Willi | The client can't request other attributes, but it may process the DNS attributes. Received DNS servers are written to the beginning of _/etc/resolv.conf_, or an other file specified with the _--with-resolve-conf_ configure directive. |
| 33 | 3 | Martin Willi | |
| 34 | 6 | Martin Willi | You should not include the _leftsubnet_ option, as the subnet may not match your received virtual IP. Without the _leftsubnet_ option, the subnet is narrowed to your assigned virtual IP automatically. |
| 35 | 3 | Martin Willi | |
| 36 | 6 | Martin Willi | |
| 37 | 6 | Martin Willi | h3. Responder Configuration |
| 38 | 6 | Martin Willi | |
| 39 | 6 | Martin Willi | The responder configuration uses the _rightsourceip_ option: |
| 40 | 6 | Martin Willi | <pre> |
| 41 | 5 | Martin Willi | rightsourceip=10.3.0.6 |
| 42 | 6 | Martin Willi | </pre> |
| 43 | 6 | Martin Willi | This will serve the IP _10.3.0.6_ to the client, even if the initiator requested another address. Additionally, the responder may define: |
| 44 | 6 | Martin Willi | <pre> |
| 45 | 5 | Martin Willi | rightsourceip=%config |
| 46 | 6 | Martin Willi | </pre> |
| 47 | 5 | Martin Willi | to let the client choose an address. This is not recommended if you do not trust the client completely. |
| 48 | 5 | Martin Willi | |
| 49 | 5 | Martin Willi | The IKEv2 daemon charon supports address pools since strongswan 4.2.1. You may define an address pool in CIDR notation, e.g. |
| 50 | 6 | Martin Willi | <pre> |
| 51 | 1 | Martin Willi | rightsourceip=10.3.0.0/24 |
| 52 | 6 | Martin Willi | </pre> |
| 53 | 1 | Martin Willi | to serve addresses from that pool. You may also use an external pool implemented as a plugin where you can specify a pool name to select addresses from. The definition |
| 54 | 6 | Martin Willi | <pre> |
| 55 | 1 | Martin Willi | rightsourceip=%poolname |
| 56 | 6 | Martin Willi | </pre> |
| 57 | 6 | Martin Willi | queries registered plugins for an IP from a pool named _poolname_. |