[strongSwan] Certificate Based Routing
andy.paton at hp.com
Wed Jun 5 10:36:32 CEST 2013
I am trying to design a unified VPN gateway - by unified i mean one VPN headend, which can handle connections to multiple backends. I have a VM with a number of NiC's attached:
eth0 - Front Facing IP of Headend 10.1.0.2/30 eth1 - Backend Resource grouup A 172.18.81.137/24 eth2 - Backend Resource group B 18.104.22.168/24
So the intention is to configure the VPN connection to inspect a device/user certificate (x509) and route to the backend resource according to an ACL.
So for example -
Joe Bloggs is permitted to access resources on both backend A & B. Mickey Mouse is permitted to access only resources on backend B.
Joe Bloggs establishes VPN connection to the headend, and attempts to connect to a resource: 172.17.81.142 for example, on resource group A. Based on the Joe's certificate he should be routed accordingly for this request.
If Mickey mouse attempts to access the same resource, because the certificate doesn't permit access - then Strongswan should block access to this IP address.
How might i go about configuring strongswan to do this?
Current config looks like this - for dropping resources onto a single subnet:
# /etc/ipsec.conf - strongSwan IPsec configuration file
leftid="CN=EN, O=JusticeLeague, CN=Metropolis"
Business Development Solution Architect
HP Enterprise Services
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users