Project

General

Profile

Virtual IP » History » Version 10

« Previous - Version 10/24 (diff) - Next » - Current version
Tobias Brunner, 20.09.2012 08:42


Virtual IP

IKEv1 and IKEv2 both know the concept of virtual IPs. This means that the initiator requests an additional IP address from the peer to use as inner IPsec tunnel address.

In IKEv1, virtual IPs are exchanged using the mode config extension. IKEv2 has full support for virtual IPs in the core standard using configuration payloads.

IKEv1

The feature set is similar to that in IKEv2, but not all features are supported. If the virtual IP is not assigned by the responder with rightsourceip you may need to use the rightsubnetwithin directive (see this example).

IKEv2

strongSwan currently implements one scenario with configuration payloads, where an IP address is assigned to the initiator. The opposite is possible by the protocol, but is an uncommon setup and therefore not supported.

Initiator Configuration

The client needs an additional parameter called leftsourceip.

    leftsourceip=%config

%config means to request an address from the responder and is an alias for the IKEv1 specific %modecfg. But you may specify an address explicitly by setting:
    leftsourceip=10.3.0.5

This will include 10.3.0.5 into the configuration payload request. However, the responder may return a different address, or may not return one at all.

The client can't request other attributes, but it may process the DNS attributes. Received DNS servers are written to the beginning of /etc/resolv.conf, or an other file specified with the --with-resolve-conf configure directive.

You should not include the leftsubnet option, as the subnet may not match your received virtual IP. Without the leftsubnet option, the subnet is narrowed to your assigned virtual IP automatically.

Responder Configuration

The responder configuration uses the rightsourceip option:

    rightsourceip=10.3.0.6

This will serve the IP 10.3.0.6 to the client, even if the initiator requested another address. Additionally, the responder may define:
    rightsourceip=%config

to let the client choose an address. This is not recommended if you do not trust the client completely.

The IKEv2 daemon charon supports address pools since version 4.2.1; the IKEv1 daemon pluto added support in 4.4.0. You may define an address pool in CIDR notation, e.g.

    rightsourceip=10.3.0.0/24

to serve addresses from that pool. You may also use an external pool implemented as a plugin where you can specify a pool name to select addresses from. The definition
    rightsourceip=%poolname

queries registered plugins for an IP from a pool named poolname. This can also be the name of another connection in ipsec.conf which defines a pool in CIDR notation with rightsourceip, as a pool with that connection's name is created implicitly.

The ipsec pool utility allows to easily manage IP address pools and other attributes, like DNS servers, stored in an SQL database (using the attr-sql plugin).

With the dhcp plugin the responder can request virtual IP addresses for clients from a DHCP server using broadcasts, or a designated server.

DNS/WINS server information is additionally served to clients if the DHCP server provides such information.

The plugin is used in ipsec.conf configurations by setting

    rightsourceip=%dhcp

The farp plugin might also be of use when using the dhcp plugin. It allows the responder to fake ARP responses for
virtual IP addresses handed out to clients. This lets a road-warrior act as a client on the local LAN of the responder.