attr Plugin

Purpose

The attr plugin for libcharon provides IKE attributes configured in strongswan.conf to peers. It is enabled by default but may be disabled with the ./configure option

--disable-attr

Behavior

Configured attributes are assigned to peers via CP configuration payloads (IKEv2) or via Mode Config (IKEv1). Attributes are only assigned to peers if they request a virtual IP address.

Configuration

The attr plugin is configured using the following options in the charon.plugins.attr section of strongswan.conf:

Key Default Description

Key	Default	Description
<attribute>		Attribute assigned to a peer via `CP` configuration payload or `ModeConfig`

Attribute assigned to a peer via CP configuration payload or ModeConfig

Attribute Types

Possible values for <attribute are listed in the following table. Depending on the address family of the IP address specified as value the proper IP4 or IP6 attribute type is used. A complete list of IKEv2 configuration payload (CP) attributes can be found on the IANA website. Multiple values can be specified as a comma-separated list.

IPv4 Attributes

Key Attribute Type Code Description

Key	Attribute Type	Code	Description
address	INTERNAL_IP4_ADDRESS	1	Internal IPv4 address
netmask	INTERNAL_IP4_NETMASK	2	Netmask of the internal network (in dotted decimal notation), similar to `subnet` but bound to the internal address
dns	INTERNAL_IP4_DNS	3	DNS server
nbns	INTERNAL_IP4_NBNS	4	WINS server
dhcp	INTERNAL_IP4_DHCP	6	DHCP server
subnet	INTERNAL_IP4_SUBNET	13	The protected sub-networks that this edge-device protects (in `CIDR` notation). Usually ignored in deference to `local_ts`, though macOS clients will use this for routes

address

INTERNAL_IP4_ADDRESS

Internal IPv4 address

netmask

INTERNAL_IP4_NETMASK

Netmask of the internal network (in dotted decimal notation), similar to subnet but bound to the internal address

dns

INTERNAL_IP4_DNS

DNS server

nbns

INTERNAL_IP4_NBNS

WINS server

dhcp

INTERNAL_IP4_DHCP

DHCP server

subnet

INTERNAL_IP4_SUBNET

The protected sub-networks that this edge-device protects (in CIDR notation). Usually ignored in deference to local_ts, though macOS clients will use this for routes

IPv6 Attributes

Key Attribute Type Code Description

Key	Attribute Type	Code	Description
address	INTERNAL_IP6_ADDRESS	8	Internal IPv6 address
netmask	INTERNAL_IP6_NETMASK	9	Netmask of the internal network (IKEv1 only)
dns	INTERNAL_IP6_DNS	10	DNS server
nbns	INTERNAL_IP6_NBNS	11	WINS server (IKEv1 only)
dhcp	INTERNAL_IP6_DHCP	12	DHCP server
subnet	INTERNAL_IP6_SUBNET	15	The protected sub-networks that this edge-device protects (in `CIDR` notation)

address

INTERNAL_IP6_ADDRESS

Internal IPv6 address

netmask

INTERNAL_IP6_NETMASK

Netmask of the internal network (IKEv1 only)

dns

INTERNAL_IP6_DNS

DNS server

nbns

INTERNAL_IP6_NBNS

WINS server (IKEv1 only)

dhcp

INTERNAL_IP6_DHCP

DHCP server

subnet

INTERNAL_IP6_SUBNET

The protected sub-networks that this edge-device protects (in CIDR notation)

Miscellaneous IANA Attributes

The configured attribute type <integer code> as assigned by IANA. The value as defined by the referenced RFCs (see following examples), IP addresses and subnets are recognized, otherwise the literal string is used as the attribute value.

Key	Attribute Type	Code	Description
7	APPLICATION_VERSION	7	String of printable ASCII characters that signifies the version or application of the IPsec host
18	INTERNAL_IP6_PREFIX	18	Subnet passed to the clients as prefix

Cisco Unity extensions for IKEv1 (IPv4 and IPv6)

Key	Attribute Type	Code	Description
28672	UNITY_BANNER	28672	Message displayed on certain clients after login
28673	UNITY_SAVE_PASSWD	28673	Allow client to save Xauth password in local storage
28674	UNITY_DEF_DOMAIN	28674	Default search domain used when resolving host names via the assigned DNS servers
28675	UNITY_SPLITDNS_NAME	28675	If split tunneling is used clients might not install the assigned DNS servers globally. This space-separated list of domain names allows clients, such as macOS, to selectively query the assigned DNS servers. Seems Mac OS X uses only the first item in the list
split-include	UNITY_SPLIT_INCLUDE	28676	Comma-separated list of subnets to tunnel. The unity plugin provides a connection specific approach to assign this attribute
28677	UNITY_NATT_PORT	28677
split-exclude	UNITY_LOCAL_LAN	28678	Comma-separated list of subnets not to tunnel
28679	UNITY_PFS	28679
28680	UNITY_FW_TYPE	28680
28681	UNITY_BACKUP_SERVERS	28681
28682	UNITY_DDNS_HOSTNAME	28682

Legacy Options

Key Default Description

Key	Default	Description
charon.dns1		DNS server 1 assigned to peer via `CP` configuration payload
charon.dns2		DNS server 2 assigned to peer via `CP` configuration payload
charon.nbns1		WINS server 1 assigned to peer via `CP` configuration payload
charon.nbns2		WINS server 2 assigned to peer via `CP` configuration payload

charon.dns1

DNS server 1 assigned to peer via CP configuration payload

charon.dns2

DNS server 2 assigned to peer via CP configuration payload

charon.nbns1

WINS server 1 assigned to peer via CP configuration payload

charon.nbns2

WINS server 2 assigned to peer via CP configuration payload

Example

# the following assigns two DNS servers to peers
charon {
    plugins {
        attr {
            dns = 10.0.10.10, 10.0.20.10
        }
    }
}

# this is the same using the legacy options
charon {
    dns1 = 10.0.10.10
    dns2 = 10.0.20.10
}