<div dir="ltr"><div dir="ltr"><div dir="ltr"><div>We are using certificates (one for each client device) but I have 2 networks: n1 and n2. And I want that some users can access n1 and others n1 + n2.</div><div><br></div><div>I wanted to make the distinction by using a conf like that:</div><div><br></div><div><pre>conn alice
leftsubnet=<a href="http://10.1.0.10/32">10.1.0.10/32</a>
right=%any
rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
auto=add
conn venus
leftsubnet=<a href="http://10.1.0.20/32">10.1.0.20/32</a>
right=%any
rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
auto=add</pre></div><div>But unfortunately with MacOs client I don't have the Distinguished Names but only the FQDN:</div><div><br></div><div>ikev2-pubkey[1216]: ESTABLISHED 2 minutes ago, 10.8.1.113[<a href="http://vpn.test.net">vpn.test.net</a>]...213.41.12.162[<a href="mailto:firstname.lastname@test.com">firstname.lastname@test.com</a>]<br>ikev2-pubkey{2102}: INSTALLED, TUNNEL, reqid 325, ESP in UDP SPIs: c4d64307_i 0c4df008_o</div><div><br></div><div>And if you compare that with the StrongSwan Android client:</div><div><br></div><div>ikev2-pubkey[1217]: ESTABLISHED 4 seconds ago, 10.8.1.113[<a href="http://vpn.test.net">vpn.test.net</a>]...213.41.12.162[C=FR, O=Test, OU=Prod, CN=<a href="mailto:firstname.lastname@test.com">firstname.lastname@test.com</a>]<br>ikev2-pubkey{2103}: INSTALLED, TUNNEL, reqid 326, ESP in UDP SPIs: c3b37b06_i be7247e0_o</div><div><br></div><div>So I cannot route my users according to their certificates and I was wondering what can I do ? <br></div><div><br><div class="gmail_quote"><div dir="ltr">Le jeu. 4 oct. 2018 à 19:42, bls s <<a href="mailto:bls3427@outlook.com">bls3427@outlook.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>Someone will likely explain why using certificates sucks, but if you use certificates (one for each client device) you'll have fine-grained user access control (by revoking/deleting certs), and you don't need to list all the enabled certs anywhere in your
config file. </div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_9010041861255361603divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Users <<a href="mailto:users-bounces@lists.strongswan.org" target="_blank">users-bounces@lists.strongswan.org</a>> on behalf of Matthieu Nantern <<a href="mailto:matthieu.nantern@margo.com" target="_blank">matthieu.nantern@margo.com</a>><br>
<b>Sent:</b> Thursday, October 4, 2018 8:41 AM<br>
<b>To:</b> <a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a><br>
<b>Subject:</b> Re: [strongSwan] Ikev2 wildcards with MacOs clients</font>
<div> </div>
</div>
<div>
<div dir="ltr">Is it possible to have multiple email address in the “rightid“ parameter ? Maybe I can list all authorized users for each server instead of relying on Distinguished Names ?<br>
</div>
<br>
<div class="gmail-m_9010041861255361603x_gmail_quote">
<div dir="ltr">Le mer. 3 oct. 2018 à 08:42, Matthieu Nantern <<a href="mailto:matthieu.nantern@margo.com" target="_blank">matthieu.nantern@margo.com</a>> a écrit :<br>
</div>
<blockquote class="gmail-m_9010041861255361603x_gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Hi !</div>
<div><br>
</div>
<div>I installed StrongSwan to allow my users (mainly MacOs X clients) to use the native ikev2 authentication. Everything is working fine.</div>
<div><br>
</div>
<div>Now I would like to implement something like that : <a href="https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html" target="_blank">
https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html</a> ; allowing some clients to access some network and not the others.</div>
<div><br>
</div>
<div>Unfortunately I didn't see (or understand) the issue on that page (<a href="https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile</a>) :</div>
<div><br>
</div>
<div>
<ul>
<li>ASN.1 Distinguished Names can't be used as identities because the client currently sends them as identities of type FQDN.</li></ul>
</div>
<div><br>
</div>
<div>As a result when I put rightid in my configuration it's not working because MacOsX is only sending a fqdn (an email address in my case) and not the Distinguished Name.<br>
</div>
<div><br>
</div>
<div>My question is how can allow (or deny) some network to some user? <br>
</div>
<div><br>
</div>
<div>I have a file that associates email address to "role" but I don't know how to use it. Maybe a plugin?</div>
<div><br>
</div>
<div>Any ideas/links?</div>
<div><br>
</div>
<div>Thank you!<br>
</div>
<div>-- <br>
<div dir="ltr" class="gmail-m_9010041861255361603x_m_8088422313965390403gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<pre>Matthieu Nantern</pre>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br clear="all">
<br>
-- <br>
<div dir="ltr" class="gmail-m_9010041861255361603x_gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<pre>Matthieu Nantern
SRE, Margo Bank
+33683148506</pre>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><pre>Matthieu Nantern
SRE, Margo Bank
+33683148506</pre></div></div></div></div></div></div></div></div>