[Swan] ip based on certs
Marc
Marc at f1-outsourcing.eu
Sun Feb 4 01:46:08 EET 2024
> >
> >> I am using this libreswan setup[1]
> >>
> >> I was wondering what would be the best practice to assign the same ip
> >> (from the rightaddresspool) to a client using a specific certificate.
> >> Maybe based on this rightid=%fromcert?
> >
> > It's on our TODO list, see
> > https://github.com/libreswan/libreswan/issues/473
> >
> > Paul
> > _______________________________________________
> > Swan mailing list
> > Swan at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan
> >
>
> Isn't that already possible if you use the same configuration for every
> client and change only rightid and rightadresspool like:
>
> conn client1
> ...
> rightid=client1
> rightadresspool=10.10.20.1-10.10.20.1
>
> conn client2
> ...
> rightid=client2
> rightadresspool=10.10.20.2-10.10.20.2
>
> Wolfgang
conn eap-shared
type=tunnel
ike=aes128-sha1-modp1024
rightauth=eap-mschapv2
leftcert=server-cert.pem
conn eap-init
also=eap-shared
# this config is used to do the EAP-Identity exchange and the
# authentication of client and server
eap_identity=%identity
# the following is used to force a connection switch after
# the authentication completed
rightgroups=thisseemsirrelevant
auto=add
conn eap-liv
also=eap-shared
eap_identity=*@liv-some-domain.com
rightsourceip=10.200.0.0/16-10.200.254.254/16
auto=add
conn eap-dev
also=eap-shared
eap_identity=*@dev-some-domain.com
rightsourceip=10.100.0.0/16-10.100.254.254/16
auto=add
https://serverfault.com/questions/1097369/strongswan-ipsec-multiple-roadwarrior-connections-different-subnets
More information about the Swan
mailing list