[Swan] ikev2, defining IP per client
Paul Wouters
paul at nohats.ca
Fri Dec 1 18:41:25 UTC 2017
On Tue, 28 Nov 2017, Computerisms Corporation wrote:
> I think we are good to wait a bit till you can get it pushed out...
You can grab 3.23rc1 now that contains the code for this.
download.libreswan.org/development/
> and just to say this back to you to make sure that I understand; I would set
> up two firewall certs and import them into nss, and setup a conn for each
> with matching leftids; then have two DNS entries matching each cert name/left
> id, and configure the clients to connect via their respective DNS entries?
> or is there another way to make windows connect to the correct conn based on
> leftid?
Yes, see this test case:
https://github.com/libreswan/libreswan/tree/master/testing/pluto/ikev2-x509-18-multicert-rightid
in east.conf, you see it has two conns with different cert/ids. in
west.conf you see it is connecting to one of them. If you run the
test, it shows that east is "switching" from guessing the wrong one
first to the right one.
Paul
More information about the Swan
mailing list