[Swan] Static ip for clients ikev1+xauth
Wolfgang Nothdurft
wolfgang at linogate.de
Thu Apr 23 10:37:00 EEST 2015
Am 22.04.2015 um 20:24 schrieb Paul Wouters:
> On Wed, 22 Apr 2015, Jonas Trollvik wrote:
>
>> I have a connection that looks like the following
>>
>> conn xauth-rsa
>> authby=secret
>> pfs=no
>> auto=add
>> rekey=no
>> left=<my ip>
>> leftid=<my id>
>> leftsendcert=always
>> leftsubnet=0.0.0.0/0
>> rightaddresspool=192.168.42.100-192.168.42.250
>> right=%any
>> modecfgdns1=8.8.8.8
>> modecfgdns2=8.8.4.4
>> leftxauthserver=yes
>> rightxauthclient=yes
>> leftmodecfgserver=yes
>> rightmodecfgclient=yes
>> modecfgpull=yes
>> ike-frag=yes
>> xauthby=file
>>
>> The connection works fine from macosx, however what I would like to do
>> is set a static ip for certain connecting clients. Either based on
>> group id, xauth username or shared secret.
>
> Currently, our only option would be add a new connection with a
> different group
> id. But it would require aggressive mode, and with PSK's that's really
> the least secure setup :/
>
> You'd have a better chance of getting this working when using
> certificates, as you then should be able to match conns bassed on cert
> IDs (but untested by me)
I have tested this for a while and it should work.
I have also made a patch for "this special feature", where you are able
to configure an ip per user in /etc/passwd, if you really need PSK
connections.
user:password:connection[:ip or from-to ip range]
Maybe you will try it.
> I guess it would be nice if we had a feature where the addresspool code
> that remembers previously handed out IPs could be "pre-loaded" with some
> ID-IP mappings. Anyone with some spare time on their hands? :)
>
>> Also I would like to enable split tunneling, how would one do this,
>> currently all traffic is routed throught the vpn (there is no option
>> in the built in macos client to turn this off), I would only like to
>> route through certain ip ranges, is it possible to control this from
>> libreswan?
>
> That is unfortunately only implemented as a client, not as a server. It
> mostly involves dealing with sending the right XAUTH payloads on the
> server side, and possibly some tweaks to add multiple SA's instead of
> only one SA. It would use the leftsubnets={} syntax to specify these.
>
Wolfgang
-------------- next part --------------
--- libreswan-3.12/programs/pluto/ikev1_xauth.c 2014-12-08 10:33:07.000000000 +0100
+++ libreswan-3.12/programs/pluto/ikev1_xauth.c 2014-12-08 10:32:54.000000000 +0100
@@ -112,6 +112,7 @@
char *name;
char *password;
char *connname;
+ char *ipaddr;
st_jbuf_t *ptr;
};
@@ -1216,6 +1217,9 @@
char *userid;
char *passwdhash;
char *connectionname = NULL;
+ char *addresspool = NULL;
+ struct connection *c = arg->st->st_connection;
+ ip_range *pool_range;
lineno++;
@@ -1242,20 +1246,32 @@
/* get password hash */
passwdhash = p;
p = strchr(passwdhash, ':'); /* find end */
+ if (p == NULL) {
+ /* no end: skip line */
+ libreswan_log("XAUTH: %s:%d missing connection name field", pwdfile, lineno);
+ continue;
+ }
+
+ *p++ ='\0'; /* terminate string by overwriting : */
+
+ /* get connection name */
+ connectionname = p;
+ p = strchr(connectionname, ':'); /* find end */
if (p != NULL) {
- /* optional connectionname */
+ /* optional addresspool */
*p++ ='\0'; /* terminate password string by overwriting : */
- connectionname = p;
+ addresspool = p;
}
/* If connectionname is null, it applies
* to all connections
*/
DBG(DBG_CONTROL,
- DBG_log("XAUTH: found user(%s/%s) pass(%s) connid(%s/%s)",
+ DBG_log("XAUTH: found user(%s/%s) pass(%s) connid(%s/%s) addresspool(%s)",
userid, arg->name,
passwdhash,
- connectionname == NULL? "<any>" : connectionname, arg->connname));
+ connectionname == NULL? "" : connectionname, arg->connname,
+ addresspool == NULL? "" : addresspool));
if (streq(userid, arg->name) &&
(connectionname == NULL || streq(connectionname, arg->connname)))
@@ -1285,8 +1301,38 @@
userid, connectionname);
}
- if (win)
+ if (win) {
+
+ if(addresspool != NULL) {
+ /* set user defined ip address or pool */
+ char *temp;
+ temp = strchr(addresspool, '-');
+ if (temp == NULL ) {
+
+ ttoaddr(addresspool, 0, AF_INET, &c->spd.that.client.addr);
+ if ((c->pool != NULL)) {
+ DBG(DBG_CONTROLMORE,
+ DBG_log("free addresspool entry for the conn %s ",
+ c->name));
+ unreference_addresspool(c);
+ }
+ } else {
+
+ pool_range = alloc_thing(ip_range, "pool_range");
+
+ if(pool_range != NULL){
+
+ ttorange(addresspool, 0, AF_INET, pool_range, TRUE);
+ if(pool_range->start.u.v4.sin_addr.s_addr){
+ c->pool = install_addresspool(pool_range);
+ }
+ pfree(pool_range);
+ }
+ }
+ }
+
break;
+ }
libreswan_log("XAUTH: nope");
}
More information about the Swan
mailing list