[strongSwan] rightgroups is not working with IKEv1

yordanos beyene yordanosb at gmail.com
Fri Jul 27 01:47:35 CEST 2012


Hi Martin,

The patch worked. SS 5.0.0 can select the connection that matches the group
attribute returned from radius server with IKEv1 as well.

It is a superb feature to have a mechanism to provide different level of
access to remote users.

See my output below.

Thank you very much again for the quick help!

Jordan.

rw-ikev1-rnd[2]: ESTABLISHED 16 seconds ago,
172.16.20.1[zeus.test.net]...172.16.60.10[C=US,
ST=CA, O=UC, OU=EDU CN=hera.test.net, E=hera at test.net
rw-ikev1-rnd[2]: Remote XAuth identity: jordan
rw-ikev1-rnd[2]: IKEv1 SPIs: 709a09353ddafd25_i 7a8e1588cc122084_r*, public
key reauthentication in 54 minutes
rw-ikev1-rnd[2]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
rw-ikev1-rnd{2}:  INSTALLED, TUNNEL, ESP SPIs: cbd9f329_i e95ad9a5_o
rw-ikev1-rnd{2}:  AES_CBC_256/HMAC_MD5_96, 720 bytes_i (0s ago), 720
bytes_o (0s ago), rekeying in 14 minutes
rw-ikev1-rnd{2}:   172.16.50.0/24 === 192.16.80.2/32


rw-ikev1-mgmt[4]: ESTABLISHED 9 seconds ago,
172.16.20.1[zeus.test.net]...172.16.60.10[C=US,
ST=CA, O=UC, OU=EDU, CN=hera.test.net, E=hera at test.net]
rw-ikev1-mgmt[4]: Remote XAuth identity: even
rw-ikev1-mgmt[4]: IKEv1 SPIs: d936e9ce492b3210_i f41cc7aa43d23306_r*,
public key reauthentication in 55 minutes
rw-ikev1-mgmt[4]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
rw-ikev1-mgmt{3}:  INSTALLED, TUNNEL, ESP SPIs: c50f1999_i 324ae0ba_o
rw-ikev1-mgmt{3}:  AES_CBC_256/HMAC_MD5_96, 0 bytes_i, 0 bytes_o, rekeying
in 15 minutes
rw-ikev1-mgmt{3}:   172.16.100.0/24 === 192.16.90.2/32




On Thu, Jul 26, 2012 at 9:34 AM, yordanos beyene <yordanosb at gmail.com>wrote:

> Thank you very much Martin for the quick patch. Excellent support!
> I will apply the patch and let you know the outcome.
>
> Jordan.
>
> On Thu, Jul 26, 2012 at 6:26 AM, Martin Willi <martin at strongswan.org>wrote:
>
>>
>> > Currently missing is the connection fallback, though. So
>> > if your first connection does not comply, the setup fails without
>> > switching to a potentially matching connection. I'll try to get this
>> > implemented ASAP, but this requires some work.
>>
>> I've just pushed another patch [1] that implements late peer config
>> switching if XAuth authentication does not fulfill the configured
>> constraints, such as group membership. With all these patches applied,
>> group information from RADIUS now can be used to select configurations
>> in IKEv1, too.
>>
>> Regards
>> Martin
>>
>> [1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=8b560a45
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120726/619117db/attachment.html>


More information about the Users mailing list