<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hello,<div class=""><br class=""></div><div class=""><br class=""></div><div class="">Is it possible to dynamically set the <b class="">local_ts</b> based on the group the user is a member of?</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">I have 3 private networks and 1 public network that holds the strongSwan VPN server.  From the public network, I can access each private network.</div><div class=""><br class=""></div><div class="">When Carol connects to the VPN, I only want her to be able to access private networks 1 and 2.</div><div class="">When David connects to the VPN, I only want him to be able to access private networks 2 and 3.</div><div class="">When Anna connects, she can access all networks.</div><div class=""><br class=""></div><div class="">Can you think of how this can be done in anyway using strongSwan?  The problem I am facing is dynamically setting the <b class="">local_ts</b> before SS sends the routes to the client.</div><div class=""><br class=""></div><div class="">This is my configuration so far:</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div style="color: rgb(212, 212, 212); background-color: rgb(30, 30, 30); font-family: Menlo, Monaco, "Courier New", monospace; line-height: 18px; white-space: pre;" class=""><div class="">echo <span style="color: #ce9178;" class="">"net.ipv4.ip_forward=1"</span> > /etc/sysctl.d/ip_forward.conf</div><div class="">sysctl -p /etc/sysctl.d/ip_forward.conf</div><br class=""><div class="">iptables -t nat -A POSTROUTING -s ${CLIENT_ADDR_POOL} -o eth0 -j MASQUERADE</div><div class="">iptables-save > /etc/sysconfig/iptables</div><br class=""><div class="">sed -i <span style="color: #ce9178;" class="">"s|# \(install_routes\).*$|\1 = no|"</span> /etc/strongswan/strongswan.d/charon.conf</div><br class=""><div class="">cat <<<span style="color: #569cd6;" class="">EOF</span><span style="color: #ce9178;" class=""> > /etc/strongswan/swanctl/swanctl.conf</span></div><div class=""><span style="color: #ce9178;" class="">connections {</span></div><div class=""><span style="color: #ce9178;" class="">    conn {</span></div><div class=""><span style="color: #ce9178;" class="">        version = 2</span></div><div class=""><span style="color: #ce9178;" class="">        send_cert = always</span></div><div class=""><span style="color: #ce9178;" class="">        unique = replace</span></div><div class=""><span style="color: #ce9178;" class="">        rekey_time = 10h</span></div><div class=""><span style="color: #ce9178;" class="">        dpd_delay = 1m</span></div><div class=""><span style="color: #ce9178;" class="">        local {</span></div><div class=""><span style="color: #ce9178;" class="">            auth = pubkey</span></div><div class=""><span style="color: #ce9178;" class="">            certs = vpnserver.crt</span></div><div class=""><span style="color: #ce9178;" class="">            id = ${SERVER_FQDNAME}</span></div><div class=""><span style="color: #ce9178;" class="">        }</span></div><div class=""><span style="color: #ce9178;" class="">        remote {</span></div><div class=""><span style="color: #ce9178;" class="">            auth = eap-mschapv2</span></div><div class=""><span style="color: #ce9178;" class="">            eap_id = %any</span></div><div class=""><span style="color: #ce9178;" class="">            # groups = ${AAA_GROUP}</span></div><div class=""><span style="color: #ce9178;" class="">        }</span></div><div class=""><span style="color: #ce9178;" class="">        children {</span></div><div class=""><span style="color: #ce9178;" class="">            child {</span></div><div class=""><span style="color: #ce9178;" class="">                local_ts = ${CIDR_A}</span><span style="caret-color: rgb(206, 145, 120); color: rgb(206, 145, 120);" class="">, ${CIDR_B}</span><span style="caret-color: rgb(206, 145, 120); color: rgb(206, 145, 120);" class="">, ${CIDR_C}</span></div><div class=""><span style="color: #ce9178;" class="">                # updown = /usr/libexec/strongswan/_updown iptables</span></div><div class=""><span style="color: #ce9178;" class="">            }</span></div><div class=""><span style="color: #ce9178;" class="">        }</span></div><div class=""><span style="color: #ce9178;" class="">        pools = pool</span></div><div class=""><span style="color: #ce9178;" class="">    }</span></div><div class=""><span style="color: #ce9178;" class="">}</span></div><div class=""><span style="color: #ce9178;" class="">pools {</span></div><div class=""><span style="color: #ce9178;" class="">    pool {</span></div><div class=""><span style="color: #ce9178;" class="">        addrs = ${CLIENT_ADDR_POOL}</span></div><div class=""><span style="color: #ce9178;" class="">    }</span></div><div class=""><span style="color: #ce9178;" class="">}</span></div><div class=""><span style="color: #ce9178;" class="">secrets {</span></div><div class=""><span style="color: #ce9178;" class="">    eap-test {</span></div><div class=""><span style="color: #ce9178;" class="">      id = test</span></div><div class=""><span style="color: #ce9178;" class="">      secret = Test123</span></div><div class=""><span style="color: #ce9178;" class="">    }</span></div><div class=""><span style="color: #ce9178;" class="">}</span></div><div class=""><span style="color: #ce9178;" class="">include conf.d/*.conf</span></div><div class=""><span style="color: #569cd6;" class="">EOF</span></div><div class=""><span style="color: #569cd6;" class=""><br class=""></span></div><div class=""><div style="line-height: 18px;" class=""><div class="">systemctl start strongswan-swanctl</div><div class="">systemctl enable strongswan-swanctl</div></div></div></div></div><div class=""><br class=""></div><div class=""><br class=""></div></body></html>