Project

General

Profile

Virtual IP » History » Version 4

Martin Willi, 04.07.2007 07:52
Capitalize captions

1 4 Martin Willi
= Virtual IP =
2 1 Martin Willi
3 1 Martin Willi
IKEv1 and IKEv2 both know the concept of ''virtual IPs''. This means that the initiator (or even the responder) requests an additional IP address from the peer to use as inner IPsec tunnel address.
4 1 Martin Willi
5 1 Martin Willi
In IKEv1, virtual IPs are exchanged using the ''mode config'' extension. IKEv2 has full support for virtual IPs in the core standard using ''configuration payloads''.
6 1 Martin Willi
7 1 Martin Willi
== IKEv1 ==
8 1 Martin Willi
9 1 Martin Willi
== IKEv2 ==
10 1 Martin Willi
strongSwan currently implements one scenario with configuration payload, where an IP address is assigned to the initiator. The opposite is possible by the protocol, but is a uncommon setup and therefore not supported.
11 1 Martin Willi
12 4 Martin Willi
=== Initiator Configuration ===
13 1 Martin Willi
The client needs an additional parameter called the ''leftsourceip''.
14 1 Martin Willi
15 1 Martin Willi
{{{
16 1 Martin Willi
    leftsourceip=%config
17 1 Martin Willi
}}}
18 1 Martin Willi
''%config'' means to request an address from the responder and is an alias for the IKEv1 specific ''%modecfg''. But you may specify an address explicitly by setting:
19 1 Martin Willi
{{{
20 3 Martin Willi
    leftsourceip=10.3.0.5
21 1 Martin Willi
}}}
22 3 Martin Willi
This will include ''10.3.0.5'' into the configuration payload request. However, the responder may return an other address, or may not return one at all.
23 1 Martin Willi
24 1 Martin Willi
The client can't request other attributes, but it may process the DNS attributes. Received DNS servers are written to the beginning of ''/etc/resolv.conf'', or an other file specified with the ''--with-resolve-conf'' configure directive.
25 1 Martin Willi
26 1 Martin Willi
You should not include the ''leftsubnet'' option, as the subnet may not match your received virtual IP. Without the ''leftsubnet'' option, the subnet is narrowed to your assigned virtual IP automatically.
27 1 Martin Willi
28 4 Martin Willi
=== Responder Configuration ===
29 1 Martin Willi
The responder configuration uses the ''rightsourceip'' option:
30 1 Martin Willi
{{{
31 3 Martin Willi
    rightsourceip=10.3.0.6
32 1 Martin Willi
}}}
33 3 Martin Willi
This will serve the IP ''10.3.0.6'' to the client, even if the initiator requested another address. Additionally, the responder may define:
34 1 Martin Willi
{{{
35 1 Martin Willi
    rightsourceip=%config
36 1 Martin Willi
}}}
37 2 Martin Willi
to let the client choose an address. This is not recommended if you do not trust the client completely.
38 1 Martin Willi
39 2 Martin Willi
Serving client with addresses from a pool or another backend is currently missing. Serving DNS or other configuration attributes is not supported.