[strongSwan] W7 eap-mschapv2 with defined ip

Dirk Hartmann dha at heise.de
Wed Aug 22 11:58:34 CEST 2012 

Hi Andreas,

works like a charm.
Thank you very much!

Dirk

--On Wednesday, August 22, 2012 10:22:59 AM +0200 Andreas Steffen 
<andreas.steffen at strongswan.org> wrote:

> Hi Dirk,
>
> did you have a look at the ipsec pool tool which allows to
> pre-assign static IP addresses to users by storing them in
> a small SQLite database:
>
> http://wiki.strongswan.org/projects/strongswan/wiki/IpsecPool
>
> Interesting for you is a feature which allows ipsec pool
> to read file-based list and store the entries in the
> database
>
> ipsec pool --add <name> --addresses <file> [--timeout <timeout>]
>
> Add a list of pool addresses to the database.
>
> name: Name of the pool, as used in ipsec.conf rightsourceip=%name
>
> file: File where newline-separated pool addresses for are read from
>
> Optionally each address can be pre-assigned to a roadwarrior identity,
> e.g. 10.231.14.2=alice at strongswan.org.
> If a '-' (hyphen) is given instead of a file name, the addresses are
> read from STDIN.
> Reading addresses stops at the end of file or an empty line.
> Pools created with this command can not be resized.
>
> timeout: Lease time in hours, 0 for static leases
>
> Best regards
>
> Andreas
>
> On 22.08.2012 10:09, Dirk Hartmann wrote:
>> Hi,
>>
>> I played with a config to connect Win7 clients with EAP-MSCHAPv2
>> auth:
>> <http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultiple
>> Config>
>>
>>
>> works so far, but has the drawback that you can't assign a static
>> IPs  to a special user. I tried to simply use two connections with:
>>
>> conn win7eap
>> 	right=%any
>>         rightauth=eap-mschapv2
>>         rightsourceip=10.0.0.3
>>         rightsendcert=never
>>         eap_identity=dhaeap
>>
>> conn win7auth
>> 	right=%any
>>         rightauth=eap-mschapv2
>>         rightsourceip=10.10.2.3
>>         rightsendcert=never
>>         eap_identity=dhaw7
>>
>> But Strongswan always picks the first connection on every client
>> connecting via eap-mschapv2. So eap_identity doesn't work the way I
>> expected it to.
>>
>> Aug 22 09:37:36 purgatory01 charon: 09[CFG]   candidate "win7eap",
>> match: 1/1/5/2 (me/other/ike/version)
>> Aug 22 09:37:36 purgatory01 charon: 09[CFG]   candidate "win7auth",
>> match: 1/1/5/2 (me/other/ike/version)
>> Aug 22 09:37:36 purgatory01 charon: 09[CFG] selected peer config
>> 'win7eap'
>>
>> Is there an other way to assign static IPs to Win7 clients
>> connecting  with eap-mschapv2 or is this only possible using client
>> certificates?
>>
>> The thing is I would like to assign different networks to different
>> users depending on their department.
>>
>> Thanks and Regards
>>
>> Dirk
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>



-- 
Dirk Hartmann, Heise Zeitschriften Verlag GmbH & Co. KG
IT-Systemmanagement, Karl-Wiechert-Allee 10,  D-30625 Hannover
E-Mail: dha at heise.de - Tel.: +49 511 5352 494 - FAX:  - 479
PGP-Fingerprint 4153 7C95 3259 C39F 49AA  9BAA 6833 A8DC 6D90 050E

Don't blame me for the following spam, blame european government:

Heise Zeitschriften Verlag GmbH & Co. KG
Registergericht: Amtsgericht Hannover HRA 26709

Persönlich haftende Gesellschafterin:
Heise Zeitschriften Verlag Geschäftsführung GmbH
Registergericht: Amtsgericht Hannover, HRB 60405
Geschäftsführer: Ansgar Heise, Dr. Alfons
Schräder

More information about the Users mailing list