<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">I don't have many experience with ipsec, but I think it is possible to specify different accepted CA for each connection when using swanctl.conf.<div class=""><br class=""></div><div class="">"</div><div class=""><span style="caret-color: rgb(54, 0, 12); color: rgb(54, 0, 12); font-family: Verdana, sans-serif; font-size: 10.800000190734863px; background-color: rgb(240, 240, 240);" class="">connections.<conn>.remote<suffix>.cacerts: </span><span style="caret-color: rgb(54, 0, 12); color: rgb(54, 0, 12); font-family: Verdana, sans-serif; font-size: 10.800000190734863px; background-color: rgb(255, 255, 255);" class="">Comma separated list of CA certificates to accept for authentication. The certificates may use a relative path from the </span><strong style="caret-color: rgb(54, 0, 12); color: rgb(54, 0, 12); font-family: Verdana, sans-serif; font-size: 10.800000190734863px;" class="">swanctl</strong><span style="caret-color: rgb(54, 0, 12); color: rgb(54, 0, 12); font-family: Verdana, sans-serif; font-size: 10.800000190734863px; background-color: rgb(255, 255, 255);" class=""> </span><em style="caret-color: rgb(54, 0, 12); color: rgb(54, 0, 12); font-family: Verdana, sans-serif; font-size: 10.800000190734863px;" class="">x509ca</em><span style="caret-color: rgb(54, 0, 12); color: rgb(54, 0, 12); font-family: Verdana, sans-serif; font-size: 10.800000190734863px; background-color: rgb(255, 255, 255);" class=""> directory or an absolute path.</span></div><div class=""><span style="caret-color: rgb(54, 0, 12); color: rgb(54, 0, 12); font-family: Verdana, sans-serif; font-size: 10.800000190734863px; background-color: rgb(255, 255, 255);" class="">"</span></div><div class=""><br class=""></div><div class="">So you should just generate cert with one CA for the first group, and an other CA for the second group.</div><div class=""><br class=""></div><div class=""><div class=""><div><br class=""><blockquote type="cite" class=""><div class="">Le 11 oct. 2018 à 16:34, bls s <<a href="mailto:bls3427@outlook.com" class="">bls3427@outlook.com</a>> a écrit :</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">In the general sense it’s secure, since the connection is validated by the certs. However, in your particular use case, it does seem that a user could change the Remote ID and access the other VPN subnet. I can’t think of a way offhand to use a cert-based implementation to avoid that, other than using two VPNs, one for each subnet group (with each VPN having a separate root CA cert so no crossover is possible).</div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Even if you went to an id/password-based mechanism, you’ll need some way to distinguish the groups. A connection per user would get you there, but that will dramatically increase management complexity, so two VPN servers might be a more management-efficient approach.</div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; border: none; padding: 0in;" class=""><b class="">From:<span class="Apple-converted-space"> </span></b><a href="mailto:matthieu.nantern@margo.com" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">Matthieu Nantern</a><br class=""><b class="">Sent:<span class="Apple-converted-space"> </span></b>Thursday, October 11, 2018 6:47 AM<br class=""><b class="">To:<span class="Apple-converted-space"> </span></b><a href="mailto:bls3427@outlook.com" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">bls3427@outlook.com</a><br class=""><b class="">Cc:<span class="Apple-converted-space"> </span></b><a href="mailto:users@lists.strongswan.org" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">users@lists.strongswan.org</a><br class=""><b class="">Subject:<span class="Apple-converted-space"> </span></b>Re: [strongSwan] Ikev2 wildcards with MacOs clients</div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><div dir="ltr" class=""><div class="">It's working but I'm wondering if it's really secure ? A user can just change its Remote ID and gain access to the other networks, no ?</div><div class=""><br class=""></div><div class="">I want something that is server side. I can create one connection for each user but it's ugly !<br class=""></div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="">Le lun. 8 oct. 2018 à 21:05, bls s <<a href="mailto:bls3427@outlook.com" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">bls3427@outlook.com</a>> a écrit :<br class=""></div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div class=""><div class="m_5834563087877639267WordSection1"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Definitely interested in seeing it replicated. As an aside, I updated my CA management app<span class="Apple-converted-space"> </span><a href="https://github.com/gitbls/pistrong" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">https://github.com/gitbls/pistrong</a><span class="Apple-converted-space"> </span>with more flexibility to generate this type of VPN cert. Unfortunately, it’s fully built around swanctl/systemd, not the legacy ipsec/ipsec.conf/… configuration. But, if you run into any issues, happy to help you wrangle it into debug mode to use that part of the tool.</div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><u class=""></u> <u class=""></u></div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; border: none; padding: 0in;" class=""><b class="">From:<span class="Apple-converted-space"> </span></b><a href="mailto:matthieu.nantern@margo.com" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">Matthieu Nantern</a><br class=""><b class="">Sent:<span class="Apple-converted-space"> </span></b>Sunday, October 7, 2018 11:23 PM<br class=""><b class="">To:<span class="Apple-converted-space"> </span></b><a href="mailto:bls3427@outlook.com" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">bls3427@outlook.com</a><br class=""><b class="">Cc:<span class="Apple-converted-space"> </span></b><a href="mailto:users@lists.strongswan.org" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">users@lists.strongswan.org</a><br class=""><b class="">Subject:<span class="Apple-converted-space"> </span></b>Re: [strongSwan] Ikev2 wildcards with MacOs clients</div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><u class=""></u> <u class=""></u></div></div><div class=""><div dir="ltr" class=""><div class="">Very good idea ! I will try that this week and will let you know if it works !<span class="Apple-converted-space"> </span><br class=""></div><div class=""><br class=""></div><div class="">Thank you !<br class=""></div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="">Le dim. 7 oct. 2018 à 00:17, bls s <<a href="mailto:bls3427@outlook.com" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">bls3427@outlook.com</a>> a écrit :<br class=""></div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div class=""><div lang="EN-US" link="blue" vlink="#954F72" class=""><div class="m_5834563087877639267m_100642945487062136x_WordSection1"><p class="m_5834563087877639267m_100642945487062136x_MsoNormal">I just did a quick test using my iPhone, and it appears to work just fine. Using 2 strongSwan profiles, each profile has a different VPN cert, with different altNames in the cert. By changing the Remote ID on iOS I was able to authenticate with each of the 2 profiles.</p><div class=""> <br class="webkit-block-placeholder"></div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0in 0in;" class=""><p class="m_5834563087877639267m_100642945487062136x_MsoNormal" style="border: none; padding: 0in;"><b class="">From:<span class="Apple-converted-space"> </span></b><a href="mailto:bls3427@outlook.com" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">bls s</a><br class=""><b class="">Sent:<span class="Apple-converted-space"> </span></b>Friday, October 5, 2018 6:54 AM<br class=""><b class="">To:<span class="Apple-converted-space"> </span></b><a href="mailto:matthieu.nantern@margo.com" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">Matthieu Nantern</a><br class=""><b class="">Cc:<span class="Apple-converted-space"> </span></b><a href="mailto:users@lists.strongswan.org" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">users@lists.strongswan.org</a><br class=""><b class="">Subject:<span class="Apple-converted-space"> </span></b>Re: [strongSwan] Ikev2 wildcards with MacOs clients</p></div><div class=""> <br class="webkit-block-placeholder"></div></div></div><font size="2" class=""><span style="font-size: 11pt;" class=""><div class="m_5834563087877639267m_100642945487062136PlainText">I haven't looked into this in detail, but could you use different VPN certs for each subnet? Each VPN cert would be in a different conn section, and they would have different altNames (SAN). If I understand the MacOS VPN config correctly (looks a lot like iOS), when certs are installed onto MacOS, you can specify the Remote ID, which is the SAN that matches that of the VPN cert.<br class=""><br class="">From: Matthieu Nantern <<a href="mailto:matthieu.nantern@margo.com" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">matthieu.nantern@margo.com</a>><br class="">Sent: Thursday, October 4, 2018 11:31 PM<br class="">To:<span class="Apple-converted-space"> </span><a href="mailto:bls3427@outlook.com" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">bls3427@outlook.com</a><br class="">Cc:<span class="Apple-converted-space"> </span><a href="mailto:users@lists.strongswan.org" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">users@lists.strongswan.org</a><br class="">Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients<br class=""> <br class="">We are using certificates (one for each client device) but I have 2 networks: n1 and n2. And I want that some users can access n1 and others n1 + n2.<br class=""><br class=""><br class="">I wanted to make the distinction by using a conf like that:<br class=""><br class=""><br class="">conn alice<br class=""> leftsubnet=<a href="http://10.1.0.10/32" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">10.1.0.10/32</a><br class=""> right=%any<br class=""> rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"<br class=""> auto=add<br class=""> <span class="Apple-converted-space"> </span><br class="">conn venus<br class=""> leftsubnet=<a href="http://10.1.0.20/32" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">10.1.0.20/32</a><br class=""> right=%any<br class=""> rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"<br class=""> auto=add<br class="">But unfortunately with MacOs client I don't have the Distinguished Names but only the FQDN:<br class=""><br class=""><br class="">ikev2-pubkey[1216]: ESTABLISHED 2 minutes ago, 10.8.1.113[<a href="http://vpn.test.net/" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">vpn.test.net</a>]...213.41.12.162[<a href="mailto:firstname.lastname@test.com" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">firstname.lastname@test.com</a>]<br class="">ikev2-pubkey{2102}: INSTALLED, TUNNEL, reqid 325, ESP in UDP SPIs: c4d64307_i 0c4df008_o<br class=""><br class=""><br class="">And if you compare that with the StrongSwan Android client:<br class=""><br class=""><br class="">ikev2-pubkey[1217]: ESTABLISHED 4 seconds ago, 10.8.1.113[<a href="http://vpn.test.net/" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">vpn.test.net</a>]...213.41.12.162[C=FR, O=Test, OU=Prod, CN=<a href="mailto:firstname.lastname@test.com" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">firstname.lastname@test.com</a>]<br class="">ikev2-pubkey{2103}: INSTALLED, TUNNEL, reqid 326, ESP in UDP SPIs: c3b37b06_i be7247e0_o<br class=""><br class=""><br class="">So I cannot route my users according to their certificates and I was wondering what can I do ?<br class=""><br class=""><br class=""><br class="">Le jeu. 4 oct. 2018 à 19:42, bls s <<a href="mailto:bls3427@outlook.com" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">bls3427@outlook.com</a>> a écrit :<br class=""><br class="">Someone will likely explain why using certificates sucks, but if you use certificates (one for each client device) you'll have fine-grained user access control (by revoking/deleting certs), and you don't need to list all the enabled certs anywhere in your config file.<br class="">From: Users <<a href="mailto:users-bounces@lists.strongswan.org" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">users-bounces@lists.strongswan.org</a>> on behalf of Matthieu Nantern <<a href="mailto:matthieu.nantern@margo.com" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">matthieu.nantern@margo.com</a>><br class="">Sent: Thursday, October 4, 2018 8:41 AM<br class="">To:<span class="Apple-converted-space"> </span><a href="mailto:users@lists.strongswan.org" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">users@lists.strongswan.org</a><br class="">Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients<br class=""> <br class="">Is it possible to have multiple email address in the “rightid“ parameter ? Maybe I can list all authorized users for each server instead of relying on Distinguished Names ?<br class=""><br class=""><br class=""><br class="">Le mer. 3 oct. 2018 à 08:42, Matthieu Nantern <<a href="mailto:matthieu.nantern@margo.com" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">matthieu.nantern@margo.com</a>> a écrit :<br class=""><br class="">Hi !<br class=""><br class=""><br class="">I installed StrongSwan to allow my users (mainly MacOs X clients) to use the native ikev2 authentication. Everything is working fine.<br class=""><br class=""><br class="">Now I would like to implement something like that :<span class="Apple-converted-space"> </span><a href="https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html</a><span class="Apple-converted-space"> </span>; allowing some clients to access some network and not the others.<br class=""><br class=""><br class="">Unfortunately I didn't see (or understand) the issue on that page (<a href="https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile" target="_blank" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile</a>) :<br class=""><br class=""><br class="">ASN.1 Distinguished Names can't be used as identities because the client currently sends them as identities of type FQDN.<br class=""><br class=""><br class="">As a result when I put rightid in my configuration it's not working because MacOsX is only sending a fqdn (an email address in my case) and not the Distinguished Name.<br class=""><br class=""><br class=""><br class="">My question is how can allow (or deny) some network to some user?<br class=""><br class=""><br class=""><br class="">I have a file that associates email address to "role" but I don't know how to use it. Maybe a plugin?<br class=""><br class=""><br class="">Any ideas/links?<br class=""><br class=""><br class="">Thank you!<br class=""><br class="">--<br class=""><br class="">Matthieu Nantern<br class=""><br class=""><br class="">--<br class=""><br class="">Matthieu Nantern<br class="">SRE, Margo Bank<br class="">+33683148506<br class=""><br class=""><br class="">--<br class=""><br class="">Matthieu Nantern<br class="">SRE, Margo Bank<br class="">+33683148506</div></span></font></div></blockquote></div><br clear="all" class=""><br class="">--<span class="Apple-converted-space"> </span><br class=""><div dir="ltr" class="m_5834563087877639267gmail_signature" data-smartmail="gmail_signature"><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: "Courier New";" class="">Matthieu Nantern
SRE, Margo Bank
+33683148506</pre></div></div></div></div></div></div></blockquote></div><br clear="all" class=""><br class="">--<span class="Apple-converted-space"> </span><br class=""><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: "Courier New";" class="">Matthieu Nantern
SRE, Margo Bank
+33683148506</pre></div></div></div></div></div></div></blockquote></div><br class=""></div></div></body></html>