0

I would like to assign a static IP to each client based on its certificate (using eap-tls).

Currently, IP is assigned dynamically.

sunknudsen
  • 581
  • 10
  • 26

2 Answers2

3

There are several options to assign static virtual IP addresses:

  • If the authentication is done via RADIUS, it's possible to assign virtual IPs and other attributes to the clients as well. For virtual IPs that's done via Framed-IP[v6]-Address RADIUS attributes.
  • The attr-sql plugin optionally maps identities to static address leases (configurable via ipsec pool utility).
  • The dhcp plugin may be used if charon.plugins.dhcp.identity_lease is enabled and static leases are configured on the corresponding DHCP server for the clients. The mapping can be done via client identity DHCP option (sent since 5.6.3) or via the virtual MAC addresses that's based on a hash of the client identity.
  • Configure individual connection entries with single IP address pools and static remote identities so they are matched against the identities of the clients. To do that with EAP authentication is currently not straight forward, though (see this answer).
ecdsa
  • 3,800
  • 12
  • 26
  • Newbie question... coudn’t I used something in the likes of `10.0.2.2: RSA moonKey.pem`. https://wiki.strongswan.org/projects/strongswan/wiki/Ipsecsecrets – sunknudsen May 16 '19 at 12:57
  • 1
    The secrets have nothing to do with the configuration attributes. And the values before the colon are identities, which could be IP addresses, but a virtual IP assigned by the server will never be used as identity. Plus, for private keys you usually don't configure any identities, as these are only relevant locally. – ecdsa May 17 '19 at 06:26
  • Is there a sample in the docs that I can follow to setup the DHCP plugin? – sunknudsen May 23 '19 at 18:53
  • The [documentation of the _dhcp_ plugin](https://wiki.strongswan.org/projects/strongswan/wiki/DHCPPlugin) describes how it's configured. The configuration of the DHCP server depends on the actual product. The only examples are the test scenarios that use ISC's _dhcpd_ e.g. [swanctl/dhcp-dynamic](https://www.strongswan.org/testing/testresults/swanctl/dhcp-dynamic/), [ikev2/static-client-id](https://www.strongswan.org/testing/testresults/ikev2/dhcp-static-client-id/), or [ikev2/dhcp-static-mac](https://www.strongswan.org/testing/testresults/ikev2/dhcp-static-mac/). – ecdsa May 24 '19 at 07:34
0

Most flexible way to do it is usage of RADIUS server. Detailed example of configuration you can find in the wiki of strongswan

Anton Danilov
  • 4,874
  • 2
  • 11
  • 20
  • Could I used `/etc/ipsec.secrets`? https://wiki.strongswan.org/projects/strongswan/wiki/Ipsecsecrets – sunknudsen May 15 '19 at 14:17
  • Do you know which iptable rules I need to setup on the clients? I used the following on the server. https://medium.com/@sunknudsen/self-host-your-very-own-strongswan-ikev2-ipsec-state-of-the-art-vpn-server-for-ios-and-macos-8cd7023497fc#203e – sunknudsen May 15 '19 at 14:18
  • For clients the rules are same: you should allow the esp/ah ip protocols for data transfer, and udp/4500 and udp/500 for IKE. – Anton Danilov May 15 '19 at 14:22
  • Guess the rules have to be inverted right? Have time to suggest client iptables rules based on my Medium story? – sunknudsen May 15 '19 at 14:24
  • Created a separate question for client iptables rules. https://serverfault.com/questions/967386/what-iptable-rules-do-i-need-for-strongswan-clients – sunknudsen May 15 '19 at 14:26