Project

General

Profile

attr plugin

The attr plugin provides IKE attributes configured in strongswan.conf to peers. It is enabled by default.

Behavior

Configured attributes are assigned to peers via configuration payloads (IKEv2) or via Mode Config (IKEv1). Attributes are only assigned to peers if they request a virtual IP address.

Since 5.0.1 connection-specific DNS servers may also be assigned with the rightdns option in ipsec.conf.

Configuration

The plugin is configured using the following strongswan.conf options.

Key Default Description
charon.plugins.attr.<attribute> Attribute assigned to a peer via configuration payload (CP) or Mode Config

Attribute Types

Possible values for <attribute> are listed in the following table. Depending on the address family of the IP address specified as value the proper IP4 or IP6 attribute type is used.
A complete list of IKEv2 configuration payload (CP) attributes can be found at the IANA website.

Multiple values can be specified as a comma separated list.

Key Attribute Type Description
IPv4
address INTERNAL_IP4_ADDRESS 1 Internal IPv4 address
netmask INTERNAL_IP4_NETMASK 2 Netmask of the internal network (in dotted decimal notation), similar to subnet but bound to the internal address
dns INTERNAL_IP4_DNS 3 DNS server
nbns INTERNAL_IP4_NBNS 4 WINS server
dhcp INTERNAL_IP4_DHCP 6 DHCP server
subnet INTERNAL_IP4_SUBNET 13 The protected sub-networks that this edge-device protects (in CIDR notation) Usually ignored in deference to local_ts, though OSX clients will use this for routes.
IPv6
address INTERNAL_IP6_ADDRESS 8 Internal IPv6 address
netmask INTERNAL_IP6_NETMASK 9 Netmask of the internal network (IKEv1 only)
dns INTERNAL_IP6_DNS 10 DNS server
nbns INTERNAL_IP6_NBNS 11 WINS server (IKEv1 only)
dhcp INTERNAL_IP6_DHCP 12 DHCP server
subnet INTERNAL_IP6_SUBNET 15 The protected sub-networks that this edge-device protects (in CIDR notation)
Arbitrary attributes using configured attribute type as assigned by IANA
<integer> As configured Value as defined by the referenced RFCs (see following examples), IP addresses and subnets are recognized, otherwise the literal string is used as attribute value
7 APPLICATION_VERSION 7 String of printable ASCII characters that signifies the version or application of the IPsec host
18 INTERNAL_IP6_PREFIX 18 Subnet passed to the clients as prefix
Cisco Unity extensions for IKEv1 (IPv4 and IPv6), since 5.0.1
28672 UNITY_BANNER 28672 Message displayed on certain clients after login
28673 UNITY_SAVE_PASSWD 28673 Allow client to save Xauth password in local storage
28674 UNITY_DEF_DOMAIN 28674 Default search domain used when resolving host names via the assigned DNS servers
28675 UNITY_SPLITDNS_NAME 28675 If split tunneling is used clients might not install the assigned DNS servers globally. This space-separated list of domain names allows clients, such as Mac OS X, to selectively query the assigned DNS servers. Seems Mac OS X uses only the first item in the list
split-include UNITY_SPLIT_INCLUDE 28676 Comma-separated list of subnets to tunnel. The unity plugin provides a connection specific approach to assign this attribute
28677 UNITY_NATT_PORT 28677
split-exclude UNITY_LOCAL_LAN 28678 Comma-separated list of subnets not to tunnel
28679 UNITY_PFS 28679
28680 UNITY_FW_TYPE 28680
28681 UNITY_BACKUP_SERVERS 28681
28682 UNITY_DDNS_HOSTNAME 28682

Legacy Options

Key Default Description
IKEv2
charon.dns1 DNS server 1 assigned to peer via configuration payload (CP)
charon.dns2 DNS server 2 assigned to peer via configuration payload (CP)
charon.nbns1 WINS server 1 assigned to peer via configuration payload (CP)
charon.nbns2 WINS server 2 assigned to peer via configuration payload (CP)

Example

# the following assigns two DNS servers to peers
charon {
    plugins {
        attr {
            dns = 10.0.10.10, 10.0.20.10
        }
    }
}
# this is the same using the legacy options
charon {
    dns1 = 10.0.10.10
    dns2 = 10.0.20.10
}

Versions before 5.0.0

In versions before 5.0.0 the IKEv1 protocol was implemented by a separate keying daemon called pluto. The following options were available to configure
attributes to be assigned to peers via Mode Config.

Key Default Description
IKEv1 only
pluto.plugins.attr.<attribute> Attribute assigned to a peer via Mode Config

Legacy options

Key Default Description
IKEv1 only
pluto.dns1 DNS server 1 assigned to peer via Mode Config
pluto.dns2 DNS server 2 assigned to peer via Mode Config
pluto.nbns1 WINS server 1 assigned to peer via Mode Config
pluto.nbns2 WINS server 2 assigned to peer via Mode Config