<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">One possible way I can see this working is by using the <b class="">_updown</b> script to set firewall rules and set the <b class="">local_ts</b> with all private networks addresses...<div class=""><br class=""></div><div class=""><div class=""><br class=""><div class="">up-client:)</div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span># connection to my client subnet coming up</div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span># If you are doing a custom version, firewall commands go here.<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span></div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>;;<span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span></div><div class="">down-client:)</div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span># connection to my client subnet going down</div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span># If you are doing a custom version, firewall commands go here.</div><span class="Apple-tab-span" style="white-space:pre"> </span>;;</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><a href="https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/_updown/_updown.in#L224" class="">https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/_updown/_updown.in#L224</a></div><div class=""><br class=""></div><div class="">
<div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><br class=""></div></div></div></div></div></div></div></div><div><blockquote type="cite" class=""><div class="">On 30 Oct 2019, at 23:20, Christian Salway <<a href="mailto:christian.salway@naimuri.com" class="">christian.salway@naimuri.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hello,<div class=""><br class=""></div><div class=""><br class=""></div><div class="">Is it possible to dynamically set the <b class="">local_ts</b> based on the group the user is a member of?</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">I have 3 private networks and 1 public network that holds the strongSwan VPN server. From the public network, I can access each private network.</div><div class=""><br class=""></div><div class="">When Carol connects to the VPN, I only want her to be able to access private networks 1 and 2.</div><div class="">When David connects to the VPN, I only want him to be able to access private networks 2 and 3.</div><div class="">When Anna connects, she can access all networks.</div><div class=""><br class=""></div><div class="">Can you think of how this can be done in anyway using strongSwan? The problem I am facing is dynamically setting the <b class="">local_ts</b> before SS sends the routes to the client.</div><div class=""><br class=""></div><div class="">This is my configuration so far:</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div style="color: rgb(212, 212, 212); background-color: rgb(30, 30, 30); font-family: Menlo, Monaco, "Courier New", monospace; line-height: 18px; white-space: pre;" class=""><div class="">echo <span style="color: #ce9178;" class="">"net.ipv4.ip_forward=1"</span> > /etc/sysctl.d/ip_forward.conf</div><div class="">sysctl -p /etc/sysctl.d/ip_forward.conf</div><br class=""><div class="">iptables -t nat -A POSTROUTING -s ${CLIENT_ADDR_POOL} -o eth0 -j MASQUERADE</div><div class="">iptables-save > /etc/sysconfig/iptables</div><br class=""><div class="">sed -i <span style="color: #ce9178;" class="">"s|# \(install_routes\).*$|\1 = no|"</span> /etc/strongswan/strongswan.d/charon.conf</div><br class=""><div class="">cat <<<span style="color: #569cd6;" class="">EOF</span><span style="color: #ce9178;" class=""> > /etc/strongswan/swanctl/swanctl.conf</span></div><div class=""><span style="color: #ce9178;" class="">connections {</span></div><div class=""><span style="color: #ce9178;" class=""> conn {</span></div><div class=""><span style="color: #ce9178;" class=""> version = 2</span></div><div class=""><span style="color: #ce9178;" class=""> send_cert = always</span></div><div class=""><span style="color: #ce9178;" class=""> unique = replace</span></div><div class=""><span style="color: #ce9178;" class=""> rekey_time = 10h</span></div><div class=""><span style="color: #ce9178;" class=""> dpd_delay = 1m</span></div><div class=""><span style="color: #ce9178;" class=""> local {</span></div><div class=""><span style="color: #ce9178;" class=""> auth = pubkey</span></div><div class=""><span style="color: #ce9178;" class=""> certs = vpnserver.crt</span></div><div class=""><span style="color: #ce9178;" class=""> id = ${SERVER_FQDNAME}</span></div><div class=""><span style="color: #ce9178;" class=""> }</span></div><div class=""><span style="color: #ce9178;" class=""> remote {</span></div><div class=""><span style="color: #ce9178;" class=""> auth = eap-mschapv2</span></div><div class=""><span style="color: #ce9178;" class=""> eap_id = %any</span></div><div class=""><span style="color: #ce9178;" class=""> # groups = ${AAA_GROUP}</span></div><div class=""><span style="color: #ce9178;" class=""> }</span></div><div class=""><span style="color: #ce9178;" class=""> children {</span></div><div class=""><span style="color: #ce9178;" class=""> child {</span></div><div class=""><span style="color: #ce9178;" class=""> local_ts = ${CIDR_A}</span><span style="caret-color: rgb(206, 145, 120); color: rgb(206, 145, 120);" class="">, ${CIDR_B}</span><span style="caret-color: rgb(206, 145, 120); color: rgb(206, 145, 120);" class="">, ${CIDR_C}</span></div><div class=""><span style="color: #ce9178;" class=""> # updown = /usr/libexec/strongswan/_updown iptables</span></div><div class=""><span style="color: #ce9178;" class=""> }</span></div><div class=""><span style="color: #ce9178;" class=""> }</span></div><div class=""><span style="color: #ce9178;" class=""> pools = pool</span></div><div class=""><span style="color: #ce9178;" class=""> }</span></div><div class=""><span style="color: #ce9178;" class="">}</span></div><div class=""><span style="color: #ce9178;" class="">pools {</span></div><div class=""><span style="color: #ce9178;" class=""> pool {</span></div><div class=""><span style="color: #ce9178;" class=""> addrs = ${CLIENT_ADDR_POOL}</span></div><div class=""><span style="color: #ce9178;" class=""> }</span></div><div class=""><span style="color: #ce9178;" class="">}</span></div><div class=""><span style="color: #ce9178;" class="">secrets {</span></div><div class=""><span style="color: #ce9178;" class=""> eap-test {</span></div><div class=""><span style="color: #ce9178;" class=""> id = test</span></div><div class=""><span style="color: #ce9178;" class=""> secret = Test123</span></div><div class=""><span style="color: #ce9178;" class=""> }</span></div><div class=""><span style="color: #ce9178;" class="">}</span></div><div class=""><span style="color: #ce9178;" class="">include conf.d/*.conf</span></div><div class=""><span style="color: #569cd6;" class="">EOF</span></div><div class=""><span style="color: #569cd6;" class=""><br class=""></span></div><div class=""><div style="line-height: 18px;" class=""><div class="">systemctl start strongswan-swanctl</div><div class="">systemctl enable strongswan-swanctl</div></div></div></div></div><div class=""><br class=""></div><div class=""><br class=""></div></div></div></blockquote></div><br class=""></div></body></html>