[strongSwan] Custom DNS servers for blacklisted users

[kgardenia42]

Hi list,

I would like some input from people who understand the code-base on
the following ...

My situation is: I have IOS devices (IKEv1) connecting to strongswan
(5.0.2) using xauthrsasig.   They are connecting using "VPN On Demand"
.  The CN field of the client certificate has a user/device identifier.

I have some users I would like to eject from the system.  I realize I
can use CRLs but since they are using "VPN On Demand" my experience is
that their device will just black-hole in an infinite reconnect loop
and they will lose network access.  This is a pretty nasty scenario to
impose upon users especially as they may not realize why they have
lost network access and waste a lot of time trouble-shooting it
(particularly non-tecchy users).

So ... I'd like to eject them from the system in a nicer way.   My
idea was to allow them to connect to the VPN but if they are on the
black-list I would like to push them out a custom DNS server which
will resolve everything to a webapp which tells them they have lost
VPN access and instructions on how to proceed.  This way they
effectively lose VPN access but they understand why and the user
experience is much less jarring.

My questions are:
* does this seem like a viable approach?
* do you have any other/better suggestions I could use to accomplish
the same thing?
* if the approach seems viable, could you give me a few pointers on
where I would find the code which pushes out the DNS servers so I can
experiment with trying to patch it to do what i have outlined.
* also, do you know of any plugin or patch which already does
something like this?

Any insights or suggestions would be greatly appreciated.

Thanks.