[Swan] Static ip for clients ikev1+xauth
Jonas Trollvik
jontro at gmail.com
Thu Apr 23 11:28:43 EEST 2015
2015-04-23 9:37 GMT+02:00 Wolfgang Nothdurft <wolfgang at linogate.de>:
> Am 22.04.2015 um 20:24 schrieb Paul Wouters:
>>
>> On Wed, 22 Apr 2015, Jonas Trollvik wrote:
>>
>>> I have a connection that looks like the following
>>>
>>> conn xauth-rsa
>>> authby=secret
>>> pfs=no
>>> auto=add
>>> rekey=no
>>> left=<my ip>
>>> leftid=<my id>
>>> leftsendcert=always
>>> leftsubnet=0.0.0.0/0
>>> rightaddresspool=192.168.42.100-192.168.42.250
>>> right=%any
>>> modecfgdns1=8.8.8.8
>>> modecfgdns2=8.8.4.4
>>> leftxauthserver=yes
>>> rightxauthclient=yes
>>> leftmodecfgserver=yes
>>> rightmodecfgclient=yes
>>> modecfgpull=yes
>>> ike-frag=yes
>>> xauthby=file
>>>
>>> The connection works fine from macosx, however what I would like to do
>>> is set a static ip for certain connecting clients. Either based on
>>> group id, xauth username or shared secret.
>>
>>
>> Currently, our only option would be add a new connection with a
>> different group
>> id. But it would require aggressive mode, and with PSK's that's really
>> the least secure setup :/
>>
>> You'd have a better chance of getting this working when using
>> certificates, as you then should be able to match conns bassed on cert
>> IDs (but untested by me)
>
>
> I have tested this for a while and it should work.
>
> I have also made a patch for "this special feature", where you are able to
> configure an ip per user in /etc/passwd, if you really need PSK connections.
>
> user:password:connection[:ip or from-to ip range]
>
> Maybe you will try it.
Thanks, this patch applied cleanly on master and it solves my issue
Great work!
Jonas
>
>> I guess it would be nice if we had a feature where the addresspool code
>> that remembers previously handed out IPs could be "pre-loaded" with some
>> ID-IP mappings. Anyone with some spare time on their hands? :)
>>
>>> Also I would like to enable split tunneling, how would one do this,
>>> currently all traffic is routed throught the vpn (there is no option
>>> in the built in macos client to turn this off), I would only like to
>>> route through certain ip ranges, is it possible to control this from
>>> libreswan?
>>
>>
>> That is unfortunately only implemented as a client, not as a server. It
>> mostly involves dealing with sending the right XAUTH payloads on the
>> server side, and possibly some tweaks to add multiple SA's instead of
>> only one SA. It would use the leftsubnets={} syntax to specify these.
>>
>
> Wolfgang
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
More information about the Swan
mailing list