[Swan] Assign addresspool based on client certificate (IKEv2)

Paul Wouters paul at nohats.ca
Thu Apr 23 14:04:48 UTC 2020

On Thu, 23 Apr 2020, None None wrote:

> Please advice me,
> how i can assign rightaddresspool (IP) for users based on his certificates(IKEv2)?
> I.e.
> i'm issue 2 certificate vpn.user1 and vpn.user2
> and want that vpn.user1 always got x.x.x.32 ip
> and  vpn.user1 always got x.x.x.33 ip

Currently, that is not possible unfortunately.

Users are given back their old lease IP whenever we can, so it does
remain fairly static if your addresspool is big enough.

I agree it would be good to work on this as a feature.

If your deployment is very small, instead of one conn, you can have
one conn per user and set each with a separate rightsubnet=IPaddress/32

A fairly simple solution could be to write code for a new option in the
/etc/ipsec.secrets file (or a new file) that uses:

@userid :IP

But currently, we don't have that.


More information about the Swan mailing list