[Swan] Static ip for clients ikev1+xauth

Paul Wouters paul at nohats.ca
Wed Apr 22 21:24:46 EEST 2015


On Wed, 22 Apr 2015, Jonas Trollvik wrote:

> I have a connection that looks like the following
>
> conn xauth-rsa
>    authby=secret
>    pfs=no
>    auto=add
>    rekey=no
>    left=<my ip>
>    leftid=<my id>
>    leftsendcert=always
>    leftsubnet=0.0.0.0/0
>    rightaddresspool=192.168.42.100-192.168.42.250
>    right=%any
>    modecfgdns1=8.8.8.8
>    modecfgdns2=8.8.4.4
>    leftxauthserver=yes
>    rightxauthclient=yes
>    leftmodecfgserver=yes
>    rightmodecfgclient=yes
>    modecfgpull=yes
>    ike-frag=yes
>    xauthby=file
>
> The connection works fine from macosx, however what I would like to do
> is set a static ip for certain connecting clients. Either based on
> group id, xauth username or shared secret.

Currently, our only option would be add a new connection with a different group
id. But it would require aggressive mode, and with PSK's that's really
the least secure setup :/

You'd have a better chance of getting this working when using
certificates, as you then should be able to match conns bassed on cert
IDs (but untested by me)

I guess it would be nice if we had a feature where the addresspool code
that remembers previously handed out IPs could be "pre-loaded" with some
ID-IP mappings. Anyone with some spare time on their hands? :)

> Also I would like to enable split tunneling, how would one do this,
> currently all traffic is routed throught the vpn (there is no option
> in the built in macos client to turn this off), I would only like to
> route through certain ip ranges, is it possible to control this from
> libreswan?

That is unfortunately only implemented as a client, not as a server. It
mostly involves dealing with sending the right XAUTH payloads on the
server side, and possibly some tweaks to add multiple SA's instead of
only one SA. It would use the leftsubnets={} syntax to specify these.

Paul


More information about the Swan mailing list