[Openswan Users] Assignment for Roadwarrior virtual IP addresses
John A. Sullivan III
jsullivan at opensourcedevel.com
Thu Dec 15 13:04:14 CET 2005
How does one assign virtual IP addresses to RoadWarriors without using
L2TP?
We are finding an increasing problem with many roadwarriors having the
same internal IP address as home wireless networks using the same
equipment with the same default DHCP settings proliferate. This is a
problem for us in the ISCS network security management project
(http://iscs.sourceforge.net) because we regulate access control to the
IPSec tunnel based upon the X.509 DN cached against the user's IP
address.
This is a problem even without the security restrictions we place in
that openswan will not allow multiple connections for the same internal
IP address (I would imagine that would create routing nightmares).
Using L2TP would solve the problem but, it bypasses all of our security
since we would have no idea of which user is assigned which IP address.
We are trying to use IPSec only.
DHCP-over-IPSec seems like the ideal solution but the Windows IPSec
implementation does not support it and it appears that no active
commercial products support it either.
It does appear that some commercial clients support IKE mode config but
there is painfully little documentation on it.
StrongSWAN appears to support a rightsourceip parameter but it must be
assigned to each individual user. That would appear to be huge
overhead. We would prefer to pull them from a pool like DHCP-over-IPSec
did and intercept the value using $PLUTO_PEER_CLIENT_NET in the updown
script.
Our only options thus far appear to be go to L2TP and cast off our
security model or manually regulate the roadwarrior IP address space :-(
Can some one guide us to a better way? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
Financially sustainable open source development
http://www.opensourcedevel.com
More information about the Users
mailing list