Project

General

Profile

Virtual IP » History » Version 6

Martin Willi, 18.04.2008 15:07

1 1 Martin Willi
2 6 Martin Willi
h1. Virtual IP
3 1 Martin Willi
4 1 Martin Willi
5 6 Martin Willi
IKEv1 and IKEv2 both know the concept of _virtual IPs_. This means that the initiator (or even the responder) requests an additional IP address from the peer to use as inner IPsec tunnel address.
6 1 Martin Willi
7 6 Martin Willi
In IKEv1, virtual IPs are exchanged using the _mode config_ extension. IKEv2 has full support for virtual IPs in the core standard using _configuration payloads_.
8 6 Martin Willi
9 6 Martin Willi
10 6 Martin Willi
h2. IKEv1
11 6 Martin Willi
12 6 Martin Willi
13 6 Martin Willi
14 6 Martin Willi
h2. IKEv2
15 6 Martin Willi
16 1 Martin Willi
strongSwan currently implements one scenario with configuration payload, where an IP address is assigned to the initiator. The opposite is possible by the protocol, but is a uncommon setup and therefore not supported.
17 1 Martin Willi
18 1 Martin Willi
19 6 Martin Willi
h3. Initiator Configuration
20 6 Martin Willi
21 6 Martin Willi
The client needs an additional parameter called the _leftsourceip_.
22 6 Martin Willi
23 6 Martin Willi
<pre>
24 1 Martin Willi
    leftsourceip=%config
25 6 Martin Willi
</pre>
26 6 Martin Willi
_%config_ means to request an address from the responder and is an alias for the IKEv1 specific _%modecfg_. But you may specify an address explicitly by setting:
27 6 Martin Willi
<pre>
28 1 Martin Willi
    leftsourceip=10.3.0.5
29 6 Martin Willi
</pre>
30 6 Martin Willi
This will include _10.3.0.5_ into the configuration payload request. However, the responder may return an other address, or may not return one at all.
31 1 Martin Willi
32 6 Martin Willi
The client can't request other attributes, but it may process the DNS attributes. Received DNS servers are written to the beginning of _/etc/resolv.conf_, or an other file specified with the _--with-resolve-conf_ configure directive.
33 3 Martin Willi
34 6 Martin Willi
You should not include the _leftsubnet_ option, as the subnet may not match your received virtual IP. Without the _leftsubnet_ option, the subnet is narrowed to your assigned virtual IP automatically.
35 3 Martin Willi
36 6 Martin Willi
37 6 Martin Willi
h3. Responder Configuration
38 6 Martin Willi
39 6 Martin Willi
The responder configuration uses the _rightsourceip_ option:
40 6 Martin Willi
<pre>
41 5 Martin Willi
    rightsourceip=10.3.0.6
42 6 Martin Willi
</pre>
43 6 Martin Willi
This will serve the IP _10.3.0.6_ to the client, even if the initiator requested another address. Additionally, the responder may define:
44 6 Martin Willi
<pre>
45 5 Martin Willi
    rightsourceip=%config
46 6 Martin Willi
</pre>
47 5 Martin Willi
to let the client choose an address. This is not recommended if you do not trust the client completely.
48 5 Martin Willi
49 5 Martin Willi
The IKEv2 daemon charon supports address pools since strongswan 4.2.1. You may define an address pool in CIDR notation, e.g.
50 6 Martin Willi
<pre>
51 1 Martin Willi
    rightsourceip=10.3.0.0/24
52 6 Martin Willi
</pre>
53 1 Martin Willi
to serve addresses from that pool. You may also use an external pool implemented as a plugin where you can specify a pool name to select addresses from. The definition
54 6 Martin Willi
<pre>
55 1 Martin Willi
    rightsourceip=%poolname
56 6 Martin Willi
</pre>
57 6 Martin Willi
queries registered plugins for an IP from a pool named _poolname_.