[strongSwan] W7 eap-mschapv2 with defined ip
Dirk Hartmann
dha at heise.de
Wed Aug 22 11:58:34 CEST 2012
Hi Andreas,
works like a charm.
Thank you very much!
Dirk
--On Wednesday, August 22, 2012 10:22:59 AM +0200 Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hi Dirk,
>
> did you have a look at the ipsec pool tool which allows to
> pre-assign static IP addresses to users by storing them in
> a small SQLite database:
>
> http://wiki.strongswan.org/projects/strongswan/wiki/IpsecPool
>
> Interesting for you is a feature which allows ipsec pool
> to read file-based list and store the entries in the
> database
>
> ipsec pool --add <name> --addresses <file> [--timeout <timeout>]
>
> Add a list of pool addresses to the database.
>
> name: Name of the pool, as used in ipsec.conf rightsourceip=%name
>
> file: File where newline-separated pool addresses for are read from
>
> Optionally each address can be pre-assigned to a roadwarrior identity,
> e.g. 10.231.14.2=alice at strongswan.org.
> If a '-' (hyphen) is given instead of a file name, the addresses are
> read from STDIN.
> Reading addresses stops at the end of file or an empty line.
> Pools created with this command can not be resized.
>
> timeout: Lease time in hours, 0 for static leases
>
> Best regards
>
> Andreas
>
> On 22.08.2012 10:09, Dirk Hartmann wrote:
>> Hi,
>>
>> I played with a config to connect Win7 clients with EAP-MSCHAPv2
>> auth:
>> <http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultiple
>> Config>
>>
>>
>> works so far, but has the drawback that you can't assign a static
>> IPs to a special user. I tried to simply use two connections with:
>>
>> conn win7eap
>> right=%any
>> rightauth=eap-mschapv2
>> rightsourceip=10.0.0.3
>> rightsendcert=never
>> eap_identity=dhaeap
>>
>> conn win7auth
>> right=%any
>> rightauth=eap-mschapv2
>> rightsourceip=10.10.2.3
>> rightsendcert=never
>> eap_identity=dhaw7
>>
>> But Strongswan always picks the first connection on every client
>> connecting via eap-mschapv2. So eap_identity doesn't work the way I
>> expected it to.
>>
>> Aug 22 09:37:36 purgatory01 charon: 09[CFG] candidate "win7eap",
>> match: 1/1/5/2 (me/other/ike/version)
>> Aug 22 09:37:36 purgatory01 charon: 09[CFG] candidate "win7auth",
>> match: 1/1/5/2 (me/other/ike/version)
>> Aug 22 09:37:36 purgatory01 charon: 09[CFG] selected peer config
>> 'win7eap'
>>
>> Is there an other way to assign static IPs to Win7 clients
>> connecting with eap-mschapv2 or is this only possible using client
>> certificates?
>>
>> The thing is I would like to assign different networks to different
>> users depending on their department.
>>
>> Thanks and Regards
>>
>> Dirk
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
--
Dirk Hartmann, Heise Zeitschriften Verlag GmbH & Co. KG
IT-Systemmanagement, Karl-Wiechert-Allee 10, D-30625 Hannover
E-Mail: dha at heise.de - Tel.: +49 511 5352 494 - FAX: - 479
PGP-Fingerprint 4153 7C95 3259 C39F 49AA 9BAA 6833 A8DC 6D90 050E
Don't blame me for the following spam, blame european government:
Heise Zeitschriften Verlag GmbH & Co. KG
Registergericht: Amtsgericht Hannover HRA 26709
Persönlich haftende Gesellschafterin:
Heise Zeitschriften Verlag Geschäftsführung GmbH
Registergericht: Amtsgericht Hannover, HRB 60405
Geschäftsführer: Ansgar Heise, Dr. Alfons
Schräder
More information about the Users
mailing list