Hi Andreas, Thanks for your quick response and important information about the configuration payload. I want to affirm the following item with you further: Whether I need to configure nothing in ipsec.conf or strongswan.conf and only need to start the "resolv and attr" plugins in server side and peer side?
Best Regards, David -----邮件原件----- 发件人: Andreas Steffen [mailto:[email protected]] 发送时间: 2009年9月24日 15:03 收件人: weiping deng 抄送: 'Martin Willi'; [email protected] 主题: Re: Some Question about the configuration payload weiping deng wrote: > Hi Both, > > Excuse me. I have the following questions about the configuration payload: > > Q1: > > In current version of strongswan, whether the internal DNS can be > assigned by server when peer initiates the request for it with the same > configuration payload for virtual IP request? > > If internal DNS can be assigned, where I can get this information? And > If I want to obtain this information for further handling, how can I do? > Yes, internal DNS servers can be assigned to a strongSwan client via the configuration payload. A sample scenario is shown here: http://www.strongswan.org/uml/testresults43/ikev2/config-payload/console.log By default the DSN servers are added to /etc/resolv.conf by the resolv-conf plugin. The destination file can be changed via the --with-resolv-conf=<file> configuration option. strongSwan as a server can read DNS and WINS server information from /etc/strongswan.conf using the attr plugin: http://www.strongswan.org/uml/testresults43/ikev2/config-payload/moon.strong swan.conf Both the attr and resolv-conf (renamed to "resolve" starting with release 4.3.5) plugins are enabled by default. > > Q2: > > I have always a question, ie: as the description of RFC4306 (IKEv2), > server can assigned the internal subnet and corresponding netmask to > peer. Why we need to configure the rightsubnet in peer’s ipsec.conf? > > Is this item can be removed from ipsec.conf? or maybe this item is not > be used to configure internal subnet and can be set as random value �C > (in fact, it can not be work when I set a random value to > right/leftsubnet). > on the client side you can define right|leftsubnet=0.0.0.0/0 and the server will narrow the range down to its own definition. "Narrowing" is an IKEv2 feature. > > > Look forward to your answer, thanks. > > David Regards Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
