[Openswan Users] Assignment for Roadwarrior virtual IP addresses

John A. Sullivan III jsullivan at opensourcedevel.com
Thu Dec 15 23:01:08 CET 2005 

On Thu, 2005-12-15 at 13:04 -0500, John A. Sullivan III wrote:
> How does one assign virtual IP addresses to RoadWarriors without using
> L2TP?
> 
> We are finding an increasing problem with many roadwarriors having the
> same internal IP address as home wireless networks using the same
> equipment with the same default DHCP settings proliferate.  This is a
> problem for us in the ISCS network security management project
> (http://iscs.sourceforge.net) because we regulate access control to the
> IPSec tunnel based upon the X.509 DN cached against the user's IP
> address.
> 
> This is a problem even without the security restrictions we place in
> that openswan will not allow multiple connections for the same internal
> IP address (I would imagine that would create routing nightmares).
> 
> Using L2TP would solve the problem but, it bypasses all of our security
> since we would have no idea of which user is assigned which IP address.
> We are trying to use IPSec only.
> 
> DHCP-over-IPSec seems like the ideal solution but the Windows IPSec
> implementation does not support it and it appears that no active
> commercial products support it either.
> 
> It does appear that some commercial clients support IKE mode config but
> there is painfully little documentation on it.
> 
> StrongSWAN appears to support a rightsourceip parameter but it must be
> assigned to each individual user.  That would appear to be huge
> overhead.  We would prefer to pull them from a pool like DHCP-over-IPSec
> did and intercept the value using $PLUTO_PEER_CLIENT_NET in the updown
> script.
> 
> Our only options thus far appear to be go to L2TP and cast off our
> security model or manually regulate the roadwarrior IP address space :-(
> 
> Can some one guide us to a better way? Thanks - John

Thank you, as always, Paul Wouters, for your answers on this topic.
Since I don't use L2TP, I hadn't realized it has the same problem.  I
suppose that makes sense - the L2TP connection uses a virtual IP address
but the IPSec tunnel to tunnel the L2TP connection must be based upon
the real internal IP address.  Is that indeed the case?

I also take it that to use the rightsourceip parameter that apparently
openswan as well as StrongSWAN supports, the client must also support
virtual IP addresses through IKE mode config.  Is that true?

Finally, am I correct to assume that there is no way to bind a virtual
IP address to an IPSec connection with the native Windows IPSec client
and that one must use a commercial product like SafeNet to do this?

Thanks, all - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

More information about the Users mailing list