[Swan] Static ip for clients ikev1+xauth

Jonas Trollvik jontro at gmail.com
Thu Apr 23 11:28:43 EEST 2015


2015-04-23 9:37 GMT+02:00 Wolfgang Nothdurft <wolfgang at linogate.de>:
> Am 22.04.2015 um 20:24 schrieb Paul Wouters:
>>
>> On Wed, 22 Apr 2015, Jonas Trollvik wrote:
>>
>>> I have a connection that looks like the following
>>>
>>> conn xauth-rsa
>>>    authby=secret
>>>    pfs=no
>>>    auto=add
>>>    rekey=no
>>>    left=<my ip>
>>>    leftid=<my id>
>>>    leftsendcert=always
>>>    leftsubnet=0.0.0.0/0
>>>    rightaddresspool=192.168.42.100-192.168.42.250
>>>    right=%any
>>>    modecfgdns1=8.8.8.8
>>>    modecfgdns2=8.8.4.4
>>>    leftxauthserver=yes
>>>    rightxauthclient=yes
>>>    leftmodecfgserver=yes
>>>    rightmodecfgclient=yes
>>>    modecfgpull=yes
>>>    ike-frag=yes
>>>    xauthby=file
>>>
>>> The connection works fine from macosx, however what I would like to do
>>> is set a static ip for certain connecting clients. Either based on
>>> group id, xauth username or shared secret.
>>
>>
>> Currently, our only option would be add a new connection with a
>> different group
>> id. But it would require aggressive mode, and with PSK's that's really
>> the least secure setup :/
>>
>> You'd have a better chance of getting this working when using
>> certificates, as you then should be able to match conns bassed on cert
>> IDs (but untested by me)
>
>
> I have tested this for a while and it should work.
>
> I have also made a patch for "this special feature", where you are able to
> configure an ip per user in /etc/passwd, if you really need PSK connections.
>
> user:password:connection[:ip or from-to ip range]
>
> Maybe you will try it.

Thanks, this patch applied cleanly on master and it solves my issue
Great work!

Jonas

>
>> I guess it would be nice if we had a feature where the addresspool code
>> that remembers previously handed out IPs could be "pre-loaded" with some
>> ID-IP mappings. Anyone with some spare time on their hands? :)
>>
>>> Also I would like to enable split tunneling, how would one do this,
>>> currently all traffic is routed throught the vpn (there is no option
>>> in the built in macos client to turn this off), I would only like to
>>> route through certain ip ranges, is it possible to control this from
>>> libreswan?
>>
>>
>> That is unfortunately only implemented as a client, not as a server. It
>> mostly involves dealing with sending the right XAUTH payloads on the
>> server side, and possibly some tweaks to add multiple SA's instead of
>> only one SA. It would use the leftsubnets={} syntax to specify these.
>>
>
> Wolfgang
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>


More information about the Swan mailing list