Hi Martin,<br><br>The patch worked. SS 5.0.0 can select the connection that matches the group attribute returned from radius server with IKEv1 as well.<br><br>It is a superb feature to have a mechanism to provide different level of access to remote users.<br>
<br>See my output below.<br><br>Thank you very much again for the quick help!<br><br>Jordan.<br><br>rw-ikev1-rnd[2]: ESTABLISHED 16 seconds ago, 172.16.20.1[<a href="http://zeus.test.net">zeus.test.net</a>]...172.16.60.10[C=US, ST=CA, O=UC, OU=EDU CN=<a href="http://hera.test.net">hera.test.net</a>, E=<a href="mailto:hera@test.net">hera@test.net</a><br>
rw-ikev1-rnd[2]: Remote XAuth identity: jordan<br>rw-ikev1-rnd[2]: IKEv1 SPIs: 709a09353ddafd25_i 7a8e1588cc122084_r*, public key reauthentication in 54 minutes<br>rw-ikev1-rnd[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
rw-ikev1-rnd{2}: INSTALLED, TUNNEL, ESP SPIs: cbd9f329_i e95ad9a5_o<br>rw-ikev1-rnd{2}: AES_CBC_256/HMAC_MD5_96, 720 bytes_i (0s ago), 720 bytes_o (0s ago), rekeying in 14 minutes<br>rw-ikev1-rnd{2}: <a href="http://172.16.50.0/24">172.16.50.0/24</a> === <a href="http://192.16.80.2/32">192.16.80.2/32</a><br>
<br><br>rw-ikev1-mgmt[4]: ESTABLISHED 9 seconds ago, 172.16.20.1[<a href="http://zeus.test.net">zeus.test.net</a>]...172.16.60.10[C=US, ST=CA, O=UC, OU=EDU, CN=<a href="http://hera.test.net">hera.test.net</a>, E=<a href="mailto:hera@test.net">hera@test.net</a>]<br>
rw-ikev1-mgmt[4]: Remote XAuth identity: even<br>rw-ikev1-mgmt[4]: IKEv1 SPIs: d936e9ce492b3210_i f41cc7aa43d23306_r*, public key reauthentication in 55 minutes<br>rw-ikev1-mgmt[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
rw-ikev1-mgmt{3}: INSTALLED, TUNNEL, ESP SPIs: c50f1999_i 324ae0ba_o<br>rw-ikev1-mgmt{3}: AES_CBC_256/HMAC_MD5_96, 0 bytes_i, 0 bytes_o, rekeying in 15 minutes<br>rw-ikev1-mgmt{3}: <a href="http://172.16.100.0/24">172.16.100.0/24</a> === <a href="http://192.16.90.2/32">192.16.90.2/32</a><br>
<br><br><br><br><div class="gmail_quote">On Thu, Jul 26, 2012 at 9:34 AM, yordanos beyene <span dir="ltr"><<a href="mailto:yordanosb@gmail.com" target="_blank">yordanosb@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thank you very much Martin for the quick patch. Excellent support!<br>I will apply the patch and let you know the outcome.<br>
<br>Jordan.<div><div><br><div class="gmail_quote">On Thu, Jul 26, 2012 at 6:26 AM, Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org" target="_blank">martin@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><br>
> Currently missing is the connection fallback, though. So<br>
> if your first connection does not comply, the setup fails without<br>
> switching to a potentially matching connection. I'll try to get this<br>
> implemented ASAP, but this requires some work.<br>
<br>
</div>I've just pushed another patch [1] that implements late peer config<br>
switching if XAuth authentication does not fulfill the configured<br>
constraints, such as group membership. With all these patches applied,<br>
group information from RADIUS now can be used to select configurations<br>
in IKEv1, too.<br>
<br>
Regards<br>
Martin<br>
<br>
[1]<a href="http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=8b560a45" target="_blank">http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=8b560a45</a><br>
<br>
</blockquote></div><br>
</div></div></blockquote></div><br>