[Swan] Static ip for clients ikev1+xauth

Jonas Trollvik jontro at gmail.com
Thu Apr 23 11:28:43 EEST 2015

2015-04-23 9:37 GMT+02:00 Wolfgang Nothdurft <wolfgang at linogate.de>:
> Am 22.04.2015 um 20:24 schrieb Paul Wouters:
>> On Wed, 22 Apr 2015, Jonas Trollvik wrote:
>>> I have a connection that looks like the following
>>> conn xauth-rsa
>>>    authby=secret
>>>    pfs=no
>>>    auto=add
>>>    rekey=no
>>>    left=<my ip>
>>>    leftid=<my id>
>>>    leftsendcert=always
>>>    leftsubnet=
>>>    rightaddresspool=
>>>    right=%any
>>>    modecfgdns1=
>>>    modecfgdns2=
>>>    leftxauthserver=yes
>>>    rightxauthclient=yes
>>>    leftmodecfgserver=yes
>>>    rightmodecfgclient=yes
>>>    modecfgpull=yes
>>>    ike-frag=yes
>>>    xauthby=file
>>> The connection works fine from macosx, however what I would like to do
>>> is set a static ip for certain connecting clients. Either based on
>>> group id, xauth username or shared secret.
>> Currently, our only option would be add a new connection with a
>> different group
>> id. But it would require aggressive mode, and with PSK's that's really
>> the least secure setup :/
>> You'd have a better chance of getting this working when using
>> certificates, as you then should be able to match conns bassed on cert
>> IDs (but untested by me)
> I have tested this for a while and it should work.
> I have also made a patch for "this special feature", where you are able to
> configure an ip per user in /etc/passwd, if you really need PSK connections.
> user:password:connection[:ip or from-to ip range]
> Maybe you will try it.

Thanks, this patch applied cleanly on master and it solves my issue
Great work!


>> I guess it would be nice if we had a feature where the addresspool code
>> that remembers previously handed out IPs could be "pre-loaded" with some
>> ID-IP mappings. Anyone with some spare time on their hands? :)
>>> Also I would like to enable split tunneling, how would one do this,
>>> currently all traffic is routed throught the vpn (there is no option
>>> in the built in macos client to turn this off), I would only like to
>>> route through certain ip ranges, is it possible to control this from
>>> libreswan?
>> That is unfortunately only implemented as a client, not as a server. It
>> mostly involves dealing with sending the right XAUTH payloads on the
>> server side, and possibly some tweaks to add multiple SA's instead of
>> only one SA. It would use the leftsubnets={} syntax to specify these.
> Wolfgang
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list