Andreas, Thank you very much for the information. I have one more question, when using modeconfig to set the virtual ip, is it possible to send the roadwarrior's hostname as part of the modeconfig request?
The reason I ask is that my gateway is a Cisco ASA which does not support IKEv2. The ASA is acting as a DHCP proxy, and I need to have the roadwarrior's hostname in the DHCP request. If it is impossible to send the hostname I will look into upgrading the ASA to a version that supports IKEv2. Thank you, Mark Marwil -----Original Message----- From: Andreas Steffen [mailto:[email protected]] Sent: Monday, May 23, 2011 12:10 PM To: Marwil, Mark-P63354 Cc: [email protected] Subject: Re: [strongSwan] DHCP over IPsec Hi Mark, strongSwan as a client does not support DHCP-over-IPsec as defined by RFC 3456, although we introduced the left|rightprotoport configuration option about 10 years ago to allow the setup of short-lived DHCP SAs for 0.0.0.0/0 restricted to the bootps port on a strongSwan gateway, successfully interoperating with the SSH Sentinel client which at that time implemented RFC 3456. Later on everyone abandoned DHCP-over-IPsec in favour of the IKEv2 configuration payload. If you prefer a DHCP server to assign a virtual IP address to your strongSwan client, we recommend to switch to IKEv2 and activate the dhcp and farp plugins on a strongSwan gateway which will then act as a DHCP proxy server. Have a look at the following example scenarios: http://www.strongswan.org/uml/testresults45/ikev2/dhcp-dynamic/ http://www.strongswan.org/uml/testresults45/ikev2/dhcp-static-client-id http://www.strongswan.org/uml/testresults45/ikev2/dhcp-static-mac/ Best regards Andreas On 05/23/2011 08:05 PM, [email protected] wrote: > All, > > > > I would like to find out if the strongswan client on a roadwarrior > supports obtaining a virtual ip address through dhcp over ipsec as > defined by RFC 3456. > > > > I would like to set up the configuration described at > http://www.strongswan.org/uml/testresults/ikev1/mode-config/index.html > > But instead of carol using %modeconfig to get a leftsourceip, she gets > it through dhcp. Is this possible though a custom _updown script? > > > > Thank you, > > Mark Marwil ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
