Project

General

Profile

Virtual IP » History » Version 7

Tobias Brunner, 04.05.2011 13:59
farp, dhcp, ipsec pool mentioned

1 6 Martin Willi
h1. Virtual IP
2 1 Martin Willi
3 1 Martin Willi
4 6 Martin Willi
IKEv1 and IKEv2 both know the concept of _virtual IPs_. This means that the initiator (or even the responder) requests an additional IP address from the peer to use as inner IPsec tunnel address.
5 1 Martin Willi
6 6 Martin Willi
In IKEv1, virtual IPs are exchanged using the _mode config_ extension. IKEv2 has full support for virtual IPs in the core standard using _configuration payloads_.
7 6 Martin Willi
8 6 Martin Willi
9 6 Martin Willi
h2. IKEv1
10 1 Martin Willi
11 7 Tobias Brunner
The feature set is similar to that in IKEv2, but not all features are supported. If the virtual IP is not assigned by the responder with _rightsourceip_ you may need to use the _rightsubnetwithin_ directive (see "this example":http://www.strongswan.org/uml/testresults/ikev1/virtual-ip/).
12 6 Martin Willi
13 1 Martin Willi
h2. IKEv2
14 6 Martin Willi
15 7 Tobias Brunner
strongSwan currently implements one scenario with configuration payloads, where an IP address is assigned to the initiator. The opposite is possible by the protocol, but is an uncommon setup and therefore not supported.
16 1 Martin Willi
17 1 Martin Willi
18 6 Martin Willi
h3. Initiator Configuration
19 6 Martin Willi
20 7 Tobias Brunner
The client needs an additional parameter called _leftsourceip_.
21 6 Martin Willi
22 6 Martin Willi
<pre>
23 1 Martin Willi
    leftsourceip=%config
24 6 Martin Willi
</pre>
25 1 Martin Willi
_%config_ means to request an address from the responder and is an alias for the IKEv1 specific _%modecfg_. But you may specify an address explicitly by setting:
26 6 Martin Willi
<pre>
27 1 Martin Willi
    leftsourceip=10.3.0.5
28 6 Martin Willi
</pre>
29 7 Tobias Brunner
This will include _10.3.0.5_ into the configuration payload request. However, the responder may return a different address, or may not return one at all.
30 1 Martin Willi
31 6 Martin Willi
The client can't request other attributes, but it may process the DNS attributes. Received DNS servers are written to the beginning of _/etc/resolv.conf_, or an other file specified with the _--with-resolve-conf_ configure directive.
32 3 Martin Willi
33 6 Martin Willi
You should not include the _leftsubnet_ option, as the subnet may not match your received virtual IP. Without the _leftsubnet_ option, the subnet is narrowed to your assigned virtual IP automatically.
34 3 Martin Willi
35 6 Martin Willi
36 6 Martin Willi
h3. Responder Configuration
37 6 Martin Willi
38 6 Martin Willi
The responder configuration uses the _rightsourceip_ option:
39 6 Martin Willi
<pre>
40 5 Martin Willi
    rightsourceip=10.3.0.6
41 6 Martin Willi
</pre>
42 6 Martin Willi
This will serve the IP _10.3.0.6_ to the client, even if the initiator requested another address. Additionally, the responder may define:
43 1 Martin Willi
<pre>
44 5 Martin Willi
    rightsourceip=%config
45 6 Martin Willi
</pre>
46 5 Martin Willi
to let the client choose an address. This is not recommended if you do not trust the client completely.
47 5 Martin Willi
48 7 Tobias Brunner
The IKEv2 daemon charon supports address pools since version 4.2.1. You may define an address pool in CIDR notation, e.g.
49 6 Martin Willi
<pre>
50 1 Martin Willi
    rightsourceip=10.3.0.0/24
51 1 Martin Willi
</pre>
52 1 Martin Willi
to serve addresses from that pool. You may also use an external pool implemented as a plugin where you can specify a pool name to select addresses from. The definition
53 1 Martin Willi
<pre>
54 1 Martin Willi
    rightsourceip=%poolname
55 1 Martin Willi
</pre>
56 7 Tobias Brunner
queries registered plugins for an IP from a pool named _poolname_. This can also be the name of another connection in [[IpsecConf|ipsec.conf]] which defines a pool in CIDR notation with _rightsourceip_, as a pool with that connection's name is created implicitly.
57 7 Tobias Brunner
58 7 Tobias Brunner
59 7 Tobias Brunner
The [[IpsecPool|ipsec pool]] utility (available since 4.4.1) allows to easily manage IP address pools and other attributes, like DNS servers, stored in an SQL database (using the *attr-sql* plugin).
60 7 Tobias Brunner
61 7 Tobias Brunner
62 7 Tobias Brunner
With the *dhcp* plugin (available since 4.4.0) the responder can request virtual IP addresses for clients from a DHCP server using broadcasts, or a designated server specified with the @charon.plugins.dhcp.server@ option in [[StrongswanConf|strongswan.conf]].
63 7 Tobias Brunner
64 7 Tobias Brunner
DNS/WINS server information is additionally served to clients if the DHCP server provides such information.
65 7 Tobias Brunner
66 7 Tobias Brunner
The plugin is used in ipsec.conf configurations by setting
67 7 Tobias Brunner
<pre>
68 7 Tobias Brunner
    rightsourceip=%dhcp
69 7 Tobias Brunner
</pre>
70 7 Tobias Brunner
71 7 Tobias Brunner
The *farp* plugin might also be of use when using the *dhcp* plugin. It allows the responder to fake ARP responses for
72 7 Tobias Brunner
virtual IP addresses handed out to clients. This lets a road-warrior act as a client on the local LAN of the responder.