<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body>
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.m5834563087877639267m100642945487062136xmsonormal, li.m5834563087877639267m100642945487062136xmsonormal, div.m5834563087877639267m100642945487062136xmsonormal
{mso-style-name:m_5834563087877639267m_100642945487062136x_msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal">In the general sense it’s secure, since the connection is validated by the certs. However, in your particular use case, it does seem that a user could change the Remote ID and access the other VPN subnet. I can’t think of a way offhand
to use a cert-based implementation to avoid that, other than using two VPNs, one for each subnet group (with each VPN having a separate root CA cert so no crossover is possible).</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Even if you went to an id/password-based mechanism, you’ll need some way to distinguish the groups. A connection per user would get you there, but that will dramatically increase management complexity, so two VPN servers might be a more
management-efficient approach.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="border:none;padding:0in"><b>From: </b><a href="mailto:matthieu.nantern@margo.com">Matthieu Nantern</a><br>
<b>Sent: </b>Thursday, October 11, 2018 6:47 AM<br>
<b>To: </b><a href="mailto:bls3427@outlook.com">bls3427@outlook.com</a><br>
<b>Cc: </b><a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br>
<b>Subject: </b>Re: [strongSwan] Ikev2 wildcards with MacOs clients</p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div dir="ltr">
<div>It's working but I'm wondering if it's really secure ? A user can just change its Remote ID and gain access to the other networks, no ?</div>
<div><br>
</div>
<div>I want something that is server side. I can create one connection for each user but it's ugly !<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">Le lun. 8 oct. 2018 à 21:05, bls s <<a href="mailto:bls3427@outlook.com">bls3427@outlook.com</a>> a écrit :<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div class="m_5834563087877639267WordSection1">
<p class="MsoNormal">Definitely interested in seeing it replicated. As an aside, I updated my CA management app
<a href="https://github.com/gitbls/pistrong" target="_blank">https://github.com/gitbls/pistrong</a> with more flexibility to generate this type of VPN cert. Unfortunately, it’s fully built around swanctl/systemd, not the legacy ipsec/ipsec.conf/… configuration.
But, if you run into any issues, happy to help you wrangle it into debug mode to use that part of the tool.</p>
<p class="MsoNormal"><u></u> <u></u></p>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="border:none;padding:0in"><b>From: </b><a href="mailto:matthieu.nantern@margo.com" target="_blank">Matthieu Nantern</a><br>
<b>Sent: </b>Sunday, October 7, 2018 11:23 PM<br>
<b>To: </b><a href="mailto:bls3427@outlook.com" target="_blank">bls3427@outlook.com</a><br>
<b>Cc: </b><a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a><br>
<b>Subject: </b>Re: [strongSwan] Ikev2 wildcards with MacOs clients</p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<div dir="ltr">
<div>Very good idea ! I will try that this week and will let you know if it works !
<br>
</div>
<div><br>
</div>
<div>Thank you !<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">Le dim. 7 oct. 2018 à 00:17, bls s <<a href="mailto:bls3427@outlook.com" target="_blank">bls3427@outlook.com</a>> a écrit :<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div lang="EN-US" link="blue" vlink="#954F72">
<div class="m_5834563087877639267m_100642945487062136x_WordSection1">
<p class="m_5834563087877639267m_100642945487062136x_MsoNormal">I just did a quick test using my iPhone, and it appears to work just fine. Using 2 strongSwan profiles, each profile has a different VPN cert, with different altNames in the cert. By changing the
Remote ID on iOS I was able to authenticate with each of the 2 profiles. </p>
<p class="m_5834563087877639267m_100642945487062136x_MsoNormal"> </p>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="m_5834563087877639267m_100642945487062136x_MsoNormal" style="border:none;padding:0in">
<b>From: </b><a href="mailto:bls3427@outlook.com" target="_blank">bls s</a><br>
<b>Sent: </b>Friday, October 5, 2018 6:54 AM<br>
<b>To: </b><a href="mailto:matthieu.nantern@margo.com" target="_blank">Matthieu Nantern</a><br>
<b>Cc: </b><a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a><br>
<b>Subject: </b>Re: [strongSwan] Ikev2 wildcards with MacOs clients</p>
</div>
<p class="m_5834563087877639267m_100642945487062136x_MsoNormal"> </p>
</div>
</div>
<font size="2"><span style="font-size:11pt">
<div class="m_5834563087877639267m_100642945487062136PlainText">I haven't looked into this in detail, but could you use different VPN certs for each subnet? Each VPN cert would be in a different conn section, and they would have different altNames (SAN). If
I understand the MacOS VPN config correctly (looks a lot like iOS), when certs are installed onto MacOS, you can specify the Remote ID, which is the SAN that matches that of the VPN cert.<br>
<br>
From: Matthieu Nantern <<a href="mailto:matthieu.nantern@margo.com" target="_blank">matthieu.nantern@margo.com</a>><br>
Sent: Thursday, October 4, 2018 11:31 PM<br>
To: <a href="mailto:bls3427@outlook.com" target="_blank">bls3427@outlook.com</a><br>
Cc: <a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a><br>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients<br>
<br>
We are using certificates (one for each client device) but I have 2 networks: n1 and n2. And I want that some users can access n1 and others n1 + n2.<br>
<br>
<br>
I wanted to make the distinction by using a conf like that:<br>
<br>
<br>
conn alice<br>
leftsubnet=<a href="http://10.1.0.10/32" target="_blank">10.1.0.10/32</a><br>
right=%any<br>
rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"<br>
auto=add<br>
<br>
conn venus<br>
leftsubnet=<a href="http://10.1.0.20/32" target="_blank">10.1.0.20/32</a><br>
right=%any<br>
rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"<br>
auto=add<br>
But unfortunately with MacOs client I don't have the Distinguished Names but only the FQDN:<br>
<br>
<br>
ikev2-pubkey[1216]: ESTABLISHED 2 minutes ago, 10.8.1.113[<a href="http://vpn.test.net" target="_blank">vpn.test.net</a>]...213.41.12.162[<a href="mailto:firstname.lastname@test.com" target="_blank">firstname.lastname@test.com</a>]<br>
ikev2-pubkey{2102}: INSTALLED, TUNNEL, reqid 325, ESP in UDP SPIs: c4d64307_i 0c4df008_o<br>
<br>
<br>
And if you compare that with the StrongSwan Android client:<br>
<br>
<br>
ikev2-pubkey[1217]: ESTABLISHED 4 seconds ago, 10.8.1.113[<a href="http://vpn.test.net" target="_blank">vpn.test.net</a>]...213.41.12.162[C=FR, O=Test, OU=Prod, CN=<a href="mailto:firstname.lastname@test.com" target="_blank">firstname.lastname@test.com</a>]<br>
ikev2-pubkey{2103}: INSTALLED, TUNNEL, reqid 326, ESP in UDP SPIs: c3b37b06_i be7247e0_o<br>
<br>
<br>
So I cannot route my users according to their certificates and I was wondering what can I do ?<br>
<br>
<br>
<br>
Le jeu. 4 oct. 2018 à 19:42, bls s <<a href="mailto:bls3427@outlook.com" target="_blank">bls3427@outlook.com</a>> a écrit :<br>
<br>
Someone will likely explain why using certificates sucks, but if you use certificates (one for each client device) you'll have fine-grained user access control (by revoking/deleting certs), and you don't need to list all the enabled certs anywhere in your config
file.<br>
From: Users <<a href="mailto:users-bounces@lists.strongswan.org" target="_blank">users-bounces@lists.strongswan.org</a>> on behalf of Matthieu Nantern <<a href="mailto:matthieu.nantern@margo.com" target="_blank">matthieu.nantern@margo.com</a>><br>
Sent: Thursday, October 4, 2018 8:41 AM<br>
To: <a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a><br>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients<br>
<br>
Is it possible to have multiple email address in the “rightid“ parameter ? Maybe I can list all authorized users for each server instead of relying on Distinguished Names ?<br>
<br>
<br>
<br>
Le mer. 3 oct. 2018 à 08:42, Matthieu Nantern <<a href="mailto:matthieu.nantern@margo.com" target="_blank">matthieu.nantern@margo.com</a>> a écrit :<br>
<br>
Hi !<br>
<br>
<br>
I installed StrongSwan to allow my users (mainly MacOs X clients) to use the native ikev2 authentication. Everything is working fine.<br>
<br>
<br>
Now I would like to implement something like that : <a href="https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html" target="_blank">
https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html</a> ; allowing some clients to access some network and not the others.<br>
<br>
<br>
Unfortunately I didn't see (or understand) the issue on that page (<a href="https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile</a>) :<br>
<br>
<br>
ASN.1 Distinguished Names can't be used as identities because the client currently sends them as identities of type FQDN.<br>
<br>
<br>
As a result when I put rightid in my configuration it's not working because MacOsX is only sending a fqdn (an email address in my case) and not the Distinguished Name.<br>
<br>
<br>
<br>
My question is how can allow (or deny) some network to some user?<br>
<br>
<br>
<br>
I have a file that associates email address to "role" but I don't know how to use it. Maybe a plugin?<br>
<br>
<br>
Any ideas/links?<br>
<br>
<br>
Thank you!<br>
<br>
--<br>
<br>
Matthieu Nantern<br>
<br>
<br>
--<br>
<br>
Matthieu Nantern<br>
SRE, Margo Bank<br>
+33683148506<br>
<br>
<br>
--<br>
<br>
Matthieu Nantern<br>
SRE, Margo Bank<br>
+33683148506</div>
</span></font></div>
</blockquote>
</div>
<br clear="all">
<br>
-- <br>
<div dir="ltr" class="m_5834563087877639267gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<pre>Matthieu Nantern
SRE, Margo Bank
+33683148506</pre>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br clear="all">
<br>
-- <br>
<div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<pre>Matthieu Nantern
SRE, Margo Bank
+33683148506</pre>
</div>
</div>
</div>
</div>
</div>
</body>
</html>