[Swan] Static ip for clients ikev1+xauth

Wolfgang Nothdurft wolfgang at linogate.de
Thu Apr 23 10:37:00 EEST 2015


Am 22.04.2015 um 20:24 schrieb Paul Wouters:
> On Wed, 22 Apr 2015, Jonas Trollvik wrote:
>
>> I have a connection that looks like the following
>>
>> conn xauth-rsa
>>    authby=secret
>>    pfs=no
>>    auto=add
>>    rekey=no
>>    left=<my ip>
>>    leftid=<my id>
>>    leftsendcert=always
>>    leftsubnet=0.0.0.0/0
>>    rightaddresspool=192.168.42.100-192.168.42.250
>>    right=%any
>>    modecfgdns1=8.8.8.8
>>    modecfgdns2=8.8.4.4
>>    leftxauthserver=yes
>>    rightxauthclient=yes
>>    leftmodecfgserver=yes
>>    rightmodecfgclient=yes
>>    modecfgpull=yes
>>    ike-frag=yes
>>    xauthby=file
>>
>> The connection works fine from macosx, however what I would like to do
>> is set a static ip for certain connecting clients. Either based on
>> group id, xauth username or shared secret.
>
> Currently, our only option would be add a new connection with a
> different group
> id. But it would require aggressive mode, and with PSK's that's really
> the least secure setup :/
>
> You'd have a better chance of getting this working when using
> certificates, as you then should be able to match conns bassed on cert
> IDs (but untested by me)

I have tested this for a while and it should work.

I have also made a patch for "this special feature", where you are able 
to configure an ip per user in /etc/passwd, if you really need PSK 
connections.

user:password:connection[:ip or from-to ip range]

Maybe you will try it.

> I guess it would be nice if we had a feature where the addresspool code
> that remembers previously handed out IPs could be "pre-loaded" with some
> ID-IP mappings. Anyone with some spare time on their hands? :)
>
>> Also I would like to enable split tunneling, how would one do this,
>> currently all traffic is routed throught the vpn (there is no option
>> in the built in macos client to turn this off), I would only like to
>> route through certain ip ranges, is it possible to control this from
>> libreswan?
>
> That is unfortunately only implemented as a client, not as a server. It
> mostly involves dealing with sending the right XAUTH payloads on the
> server side, and possibly some tweaks to add multiple SA's instead of
> only one SA. It would use the leftsubnets={} syntax to specify these.
>

Wolfgang

-------------- next part --------------
--- libreswan-3.12/programs/pluto/ikev1_xauth.c	2014-12-08 10:33:07.000000000 +0100
+++ libreswan-3.12/programs/pluto/ikev1_xauth.c	2014-12-08 10:32:54.000000000 +0100
@@ -112,6 +112,7 @@
 	char *name;
 	char *password;
 	char *connname;
+	char *ipaddr;
 	st_jbuf_t *ptr;
 };
 
@@ -1216,6 +1217,9 @@
 		char *userid;
 		char *passwdhash;
 		char *connectionname = NULL;
+		char *addresspool = NULL;
+		struct connection *c = arg->st->st_connection;
+		ip_range *pool_range;
 
 		lineno++;
 
@@ -1242,20 +1246,32 @@
 		/* get password hash */
 		passwdhash = p;
 		p = strchr(passwdhash, ':');	/* find end */
+ 		if (p == NULL) {
+ 			/* no end: skip line */
+ 			libreswan_log("XAUTH: %s:%d missing connection name field", pwdfile, lineno);
+ 			continue;
+ 		}
+ 		
+ 		*p++ ='\0';     /* terminate string by overwriting : */
+ 		
+ 		/* get connection name */
+ 		connectionname = p;
+ 		p = strchr(connectionname, ':');	/* find end */
 		if (p != NULL) {
-			/* optional connectionname */
+ 			/* optional addresspool */
 			*p++ ='\0';	/* terminate password string by overwriting : */
-			connectionname = p;
+ 			addresspool = p;
 		}
 
 		/* If connectionname is null, it applies
 		 * to all connections
 		 */
 		DBG(DBG_CONTROL,
-		    DBG_log("XAUTH: found user(%s/%s) pass(%s) connid(%s/%s)",
+ 		    DBG_log("XAUTH: found user(%s/%s) pass(%s) connid(%s/%s) addresspool(%s)",
 			    userid, arg->name,
 			    passwdhash,
-			    connectionname == NULL? "<any>" : connectionname, arg->connname));
+ 			    connectionname == NULL? "" : connectionname, arg->connname,
+ 			    addresspool == NULL? "" : addresspool));
 
 		if (streq(userid, arg->name) &&
 		    (connectionname == NULL || streq(connectionname, arg->connname)))
@@ -1285,8 +1301,38 @@
 					      userid, connectionname);
 			}
 
-			if (win)
+			if (win) {
+
+				if(addresspool != NULL) {
+					/* set user defined ip address or pool */
+					char *temp;
+					temp = strchr(addresspool, '-');
+					if (temp == NULL ) {
+
+						ttoaddr(addresspool, 0, AF_INET, &c->spd.that.client.addr);
+						if ((c->pool != NULL)) {
+							DBG(DBG_CONTROLMORE,
+								DBG_log("free addresspool entry for the conn %s ",
+							 	c->name));
+							unreference_addresspool(c);
+						}
+					} else {
+
+						pool_range = alloc_thing(ip_range, "pool_range");
+
+						if(pool_range != NULL){
+
+							ttorange(addresspool, 0, AF_INET, pool_range, TRUE);
+							if(pool_range->start.u.v4.sin_addr.s_addr){
+								c->pool = install_addresspool(pool_range);
+							}
+							pfree(pool_range);
+						}
+					}
+				}
+
 				break;
+			}
 
 			libreswan_log("XAUTH: nope");
 		}


More information about the Swan mailing list