The server needs the attr plugin (ipsec statusall should list it)
and up to two DNS and WINS servers can be defined in strongswan.conf:
# /etc/strongswan.conf - strongSwan configuration file
charon {
dns1 = 62.2.17.60
dns2 = 62.2.24.162
nbns1 = 10.10.1.1
nbns2 = 10.10.0.1
}
On the client just the resolv-conf plugin is required (ipsec
statusall should list it) The DNS servers are appended to
/etc/resolv.conf or the file you specified with the compile
option --with-resolv-conf=. When the tunnel goes down,
the DNS information is removed.
Regards
Andreas
weiping deng wrote:
Hi Andreas,
Thanks for your quick response and important information about the
configuration payload.
I want to affirm the following item with you further:
Whether I need to configure nothing in ipsec.conf or strongswan.conf and
only need to start the resolv and attr plugins in server side and peer
side?
Best Regards,
David
-邮件原件-
发件人: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
发送时间: 2009年9月24日 15:03
收件人: weiping deng
抄送: 'Martin Willi'; users@lists.strongswan.org
主题: Re: Some Question about the configuration payload
weiping deng wrote:
Hi Both,
Excuse me. I have the following questions about the configuration payload:
Q1:
In current version of strongswan, whether the internal DNS can be
assigned by server when peer initiates the request for it with the same
configuration payload for virtual IP request?
If internal DNS can be assigned, where I can get this information? And
If I want to obtain this information for further handling, how can I do?
Yes, internal DNS servers can be assigned to a strongSwan client via
the configuration payload. A sample scenario is shown here:
http://www.strongswan.org/uml/testresults43/ikev2/config-payload/console.log
By default the DSN servers are added to /etc/resolv.conf by the
resolv-conf plugin. The destination file can be changed via the
--with-resolv-conf=file
configuration option. strongSwan as a server can read DNS and WINS
server information from /etc/strongswan.conf using the attr plugin:
http://www.strongswan.org/uml/testresults43/ikev2/config-payload/moon.strong
swan.conf
Both the attr and resolv-conf (renamed to resolve starting with
release 4.3.5)
plugins are enabled by default.
Q2:
I have always a question, ie: as the description of RFC4306 (IKEv2),
server can assigned the internal subnet and corresponding netmask to
peer. Why we need to configure the rightsubnet in peer’s ipsec.conf?
Is this item can be removed from ipsec.conf? or maybe this item is not
be used to configure internal subnet and can be set as random value �C
(in fact, it can not be work when I set a random value to
right/leftsubnet).
on the client side you can define right|leftsubnet=0.0.0.0/0
and the server will narrow the range down to its own definition.
Narrowing is an IKEv2 feature.
Look forward to your answer, thanks.
David
Regards
Andreas
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
