[strongSwan] Certificate Based Routing
Paton, Andy
andy.paton at hp.com
Wed Jun 5 10:36:32 CEST 2013
I am trying to design a unified VPN gateway - by unified i mean one VPN headend, which can handle connections to multiple backends. I have a VM with a number of NiC's attached:
eth0 - Front Facing IP of Headend 10.1.0.2/30 eth1 - Backend Resource grouup A 172.18.81.137/24 eth2 - Backend Resource group B 162.18.81.137/24
So the intention is to configure the VPN connection to inspect a device/user certificate (x509) and route to the backend resource according to an ACL.
So for example -
Joe Bloggs is permitted to access resources on both backend A & B. Mickey Mouse is permitted to access only resources on backend B.
Joe Bloggs establishes VPN connection to the headend, and attempts to connect to a resource: 172.17.81.142 for example, on resource group A. Based on the Joe's certificate he should be routed accordingly for this request.
If Mickey mouse attempts to access the same resource, because the certificate doesn't permit access - then Strongswan should block access to this IP address.
How might i go about configuring strongswan to do this?
Current config looks like this - for dropping resources onto a single subnet:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
ike=aes256-sha256-modp1024!
esp=aes256-sha256-modp1024!
conn rw
#left=10.1.0.2
leftcert=supermanCert.der
leftid="CN=EN, O=JusticeLeague, CN=Metropolis"
leftsubnet=172.17.81.137/27
leftfirewall=yes
right=%any
rightsourceip=10.3.100.0/24
rightid=%any
keyexchange=ikev2
auto=add
Andy Paton
Business Development Solution Architect
HP Enterprise Services
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130605/479fb325/attachment.html>
More information about the Users
mailing list