[Swan] ikev2, defining IP per client
Computerisms Corporation
bob at computerisms.ca
Tue Nov 28 20:09:42 UTC 2017
Hi Paul,
I think we are good to wait a bit till you can get it pushed out...
and just to say this back to you to make sure that I understand; I would
set up two firewall certs and import them into nss, and setup a conn for
each with matching leftids; then have two DNS entries matching each cert
name/left id, and configure the clients to connect via their respective
DNS entries? or is there another way to make windows connect to the
correct conn based on leftid?
On 2017-11-23 11:10 AM, Paul Wouters wrote:
> On Wed, 22 Nov 2017, Computerisms Corporation wrote:
>
>> I have an existing system where two offices share an internet
>> connection. One office has a VPN already setup using ikev2. Now the
>> other office wants VPN access, but we need to make sure when the VPN
>> users connect, they can't see the other office's stuff.
>
> You can setup two connections with different leftid= on the server, then
> configure the clients with a remote id that matches those. Then use
> different addresspool ranges for those connections. Then use iptables to
> make sure they cannot see each other.
>
> You will need a small patch to support the optional IDr payload
> processing that I haven't yet pushed to master. Ping me for that or wait
> a few days for it to appear in master.
>
> Paul
More information about the Swan
mailing list