[Swan] Assign addresspool based on client certificate (IKEv2)
Paul Wouters
paul at nohats.ca
Thu Apr 23 14:04:48 UTC 2020
On Thu, 23 Apr 2020, None None wrote:
> Please advice me,
> how i can assign rightaddresspool (IP) for users based on his certificates(IKEv2)?
>
> I.e.
> i'm issue 2 certificate vpn.user1 and vpn.user2
> and want that vpn.user1 always got x.x.x.32 ip
> and vpn.user1 always got x.x.x.33 ip
Currently, that is not possible unfortunately.
Users are given back their old lease IP whenever we can, so it does
remain fairly static if your addresspool is big enough.
I agree it would be good to work on this as a feature.
If your deployment is very small, instead of one conn, you can have
one conn per user and set each with a separate rightsubnet=IPaddress/32
A fairly simple solution could be to write code for a new option in the
/etc/ipsec.secrets file (or a new file) that uses:
@userid :IP 1.2.3.4
But currently, we don't have that.
Paul
More information about the Swan
mailing list