Discussion:
[strongSwan] setting domain search via attr plugin (IKEv2)
Harald Dunkel
2015-01-23 09:31:27 UTC
Permalink
Hi folks,

I would like to modify the domain search list in /etc/resolv.conf
via the attr plugin on the road warrior laptop. For IKEv1 it seems
to work as described on the wiki, but I wonder why the UNITY_DEF_DOMAIN
and UNITY_SPLITDNS_NAME are not supported for IKEv2 as well?

Strongswan is version 5.2.1. The laptop runs network-manager-\
strongswan 1.3.0 and network-manager 0.9.4.0.


Every helpful comment is highly appreciated
Harri
--
aixigo AG, Karl-Friedrich-Strasse 68, 52072 Aachen, Germany
phone: +49 241 559709-0, fax: +49 241 559709-99
eMail: ***@aixigo.de, web: http://www.aixigo.de
Amtsgericht Aachen - HRB 8057, Vorstand: Erich Borsch, Christian Friedrich, Tobias Haustein, Vors. des Aufsichtsrates: Prof. Dr. Ruediger von Nitzsch
Martin Willi
2015-01-23 10:14:21 UTC
Permalink
Hi,
I wonder why the UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME are not
supported for IKEv2 as well?
The IKEv2 protocol does not define such an attribute, nor am I aware of
any extension that does. In IKEv1 these attributes are used by the
proprietary (but widely used) Cisco Unity extensions, and we can send
them in strongSwan for installation by third party clients.

None of our backends (resolve plugin, charon-nm) actually handle such
attributes. While you could send your own definition of such an
attribute in IKEv2, it is not handled by strongSwan (or a third party
client).

In short, configuring domain search lists over IKE is currently not
supported (and not standardized). All you currently can do is to send
these Unity attributes to third party clients supporting this
proprietary extension.

Regards
Martin
Harald Dunkel
2015-01-23 10:58:12 UTC
Permalink
Post by Martin Willi
None of our backends (resolve plugin, charon-nm) actually handle such
attributes. While you could send your own definition of such an
attribute in IKEv2, it is not handled by strongSwan (or a third party
client).
Thats the point. I would need support for new payload attributes on
both peers. Maybe Strongswan could support a callback function for private
payload attribute types? (Hopefully I wasn't too blind to see)
Post by Martin Willi
In short, configuring domain search lists over IKE is currently not
supported (and not standardized). All you currently can do is to send
these Unity attributes to third party clients supporting this
proprietary extension.
Cisco did not hesitate to use the private attributes for IKEv1. Do you
think it would be possible to support similar private attributes for
IKEv2 on both sides, as Cisco did?


Just a suggestion, of course. Keep on your good work.

Harri
https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-21
Martin Willi
2015-01-23 12:08:38 UTC
Permalink
I would need support for new payload attributes on both peers.
At the server side, configuring custom attributes is already doable, for
example with the attr plugin [1]. If configuration by the numerical
value is too cryptic, adding aliases should be trivial.
Maybe Strongswan could support a callback function for private
payload attribute types?
Handling custom attributes at a plugin level is possible. A plugin
implementing the attribute_handler_t [2] interface (as done by the
resolve plugin and others) can request and handle any type of attribute.
Cisco did not hesitate to use the private attributes for IKEv1. Do you
think it would be possible to support similar private attributes for
IKEv2 on both sides, as Cisco did?
It is perfectly fine to allocate attribute type values from the IANA
"private use" range, and then use these attributes if we know the peer
uses them for the same purpose. Usually this is done by detecting the
implementation type by exchanging Vendor ID payloads.

Regards
Martin

[1]https://wiki.strongswan.org/projects/strongswan/wiki/AttrPlugin
[2]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/attributes/attribute_handler.h
Loading...