[Swan] Using cert DN for connection matching
Jan Koriťák
jenda at pudr.com
Fri Jan 28 01:41:19 EET 2022
Hello,
I was trying to have two different address pools for clients based on info in certificate DN.
I did this by configuring two basically identical connections, just with different rightaddresspool and rightid.
conn ikev2-cp-static
left=%eth0
leftcert=vpn.example.net <http://vpn.example.net/>
leftid=@vpn.example.net
leftsendcert=always
leftsubnet=10.0.0.0/8
leftrsasigkey=%cert
right=%any
rightid="CN=static,O=IKEv2 VPN"
rightaddresspool=192.168.43.10-192.168.43.10
rightca=%same
rightrsasigkey=%cert
narrowing=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
pfs=no
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
ikelifetime=24h
salifetime=24h
encapsulation=yes
mobike=yes
conn ikev2-cp-others
left=%eth0
leftcert=vpn.example.net <http://vpn.example.net/>
leftid=@vpn.example.net
leftsendcert=always
leftsubnet=10.0.0.0/8
leftrsasigkey=%cert
right=%any
rightid="CN=vpnclient,O=IKEv2 VPN"
rightaddresspool=192.168.43.11-192.168.43.250
rightca=%same
rightrsasigkey=%cert
narrowing=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
pfs=no
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
ikelifetime=24h
salifetime=24h
encapsulation=yes
mobike=yes
This however didn't do what I wanted, because no matter which cert I have used on the client, the "ikev2-cp-static" connection was always matched on the server (and subsequently failed on certificate auth in case I used the cert with CN=vpnclient).
Does it mean, only the left/right fields are used to match the connection first, and afterwards the id is just validated, without falling back to another matching connection?
Is there some place I can read more about how exactly the matching works and also which connection takes precedence if more are matching? I was not able to find much info about this.
My end goal was to have one client with static assigned ip (hence the small addresspool), while other clients have dynamic ips. I can't use "right" to distinguish them as they can be behind the same NAT. That's why I tried to use the cert fields. Would anyone have some tip on how else I could accomplish my goal?
Thanks for help!
Regards,
Jan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220128/1d10f334/attachment.htm>
More information about the Swan
mailing list