[Swan] Static ip for clients ikev1+xauth

Jonas Trollvik jontro at gmail.com
Wed Apr 22 20:46:35 EEST 2015


Hello,

after reading that  IKEv1+xauth now is the recommended way for doing
vpn over ipsec I started out configuring it as specified in
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH


I have a connection that looks like the following

conn xauth-rsa
    authby=secret
    pfs=no
    auto=add
    rekey=no
    left=<my ip>
    leftid=<my id>
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    rightaddresspool=192.168.42.100-192.168.42.250
    right=%any
    modecfgdns1=8.8.8.8
    modecfgdns2=8.8.4.4
    leftxauthserver=yes
    rightxauthclient=yes
    leftmodecfgserver=yes
    rightmodecfgclient=yes
    modecfgpull=yes
    ike-frag=yes
    xauthby=file

The connection works fine from macosx, however what I would like to do
is set a static ip for certain connecting clients. Either based on
group id, xauth username or shared secret.

Also I would like to enable split tunneling, how would one do this,
currently all traffic is routed throught the vpn (there is no option
in the built in macos client to turn this off), I would only like to
route through certain ip ranges, is it possible to control this from
libreswan?

Running on libreswan head as of 4499dca1521fa16901efd9e380f6cf9da44d7f47

Kind regards
Jonas


More information about the Swan mailing list