[strongSwan] Certificate Based Routing

Ulrich Schinz ulrich.schinz at ksfh.de
Wed Jun 5 11:20:10 CEST 2013 

Hey Andy,

maybe this helps a bit. I tried something similar, I tried to establish 
a "group"-system based on my certificates. So here my server-config:

conn group1
         left=192.168.0.200
         leftcert=vpnserver.crt
         leftsubnet=192.168.5.0/24
         leftid=vpnserver.of.our.company.fqdn
         leftfirewall=yes
         right=%any
         rightid="DC=de, DC=company, O=Companyname, OU=group1 
certificate, CN=*"
         rightsourceip=10.0.50.0/24
         auto=add

conn group2
         left=192.168.0.200
         leftcert=vpnserver.crt
         leftsubnet=192.168.5.0/24,192.168.3.0/24
         leftid=vpnserver.of.our.company.fqdn
         leftfirewall=yes
         right=%any
         rightid="DC=de, DC=company, O=Companyname, OU=group2 
certificate, CN=*"
         rightsourceip=10.0.0.0/24
         auto=add

So now generating different certificates with right ids should bring you 
in the correct subnet.
Further, by chosing a rightsourceip you can configure your firewall to 
accept connections to some hosts depending on
senders address. In config I have different rightsourceips defined...

Your firewallsettings can be edited or configured. The defaut script for 
that is tha updown-script of strongswan. On debian
wheezy I could find it in /usr/libexec/ipsec/_updown

Hope this helps.
Kind regards
Uli


Am 05.06.2013 10:36, schrieb Paton, Andy:
>
> I am trying to design a unified VPN gateway - by unified i mean one 
> VPN headend, which can handle connections to multiple backends. I have 
> a VM with a number of NiC's attached:
>
> eth0 - Front Facing IP of Headend 10.1.0.2/30 eth1 - Backend Resource 
> grouup A 172.18.81.137/24 eth2 - Backend Resource group B 162.18.81.137/24
>
> So the intention is to configure the VPN connection to inspect a 
> device/user certificate (x509) and route to the backend resource 
> according to an ACL.
>
> So for example -
>
> Joe Bloggs is permitted to access resources on both backend A & B. 
> Mickey Mouse is permitted to access only resources on backend B.
>
> Joe Bloggs establishes VPN connection to the headend, and attempts to 
> connect to a resource: 172.17.81.142 for example, on resource group A. 
> Based on the Joe's certificate he should be routed accordingly for 
> this request.
>
> If Mickey mouse attempts to access the same resource, because the 
> certificate doesn't permit access - then Strongswan should block 
> access to this IP address.
>
> How might i go about configuring strongswan to do this?
>
> Current config looks like this - for dropping resources onto a single 
> subnet:
>
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
>
>         crlcheckinterval=180
>
>     strictcrlpolicy=no
>
>     plutostart=no
>
> conn %default
>
>     ikelifetime=60m
>
>     keylife=20m
>
>     rekeymargin=3m
>
>     keyingtries=1
>
>     ike=aes256-sha256-modp1024!
>
>     esp=aes256-sha256-modp1024!
>
> conn rw
>
>     #left=10.1.0.2
>
>     leftcert=supermanCert.der
>
>     leftid="CN=EN, O=JusticeLeague, CN=Metropolis"
>
>     leftsubnet=172.17.81.137/27
>
>     leftfirewall=yes
>
>     right=%any
>
>     rightsourceip=10.3.100.0/24
>
>     rightid=%any
>
>     keyexchange=ikev2
>
>     auto=add
>
> *Andy Paton
> *Business Development Solution Architect
> HP Enterprise Services
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
Ulrich Schinz


ulrich.schinz at ksfh.de

___________________________________________



Katholische Stiftungsfachhochschule München

Abteilung Benediktbeuern

Don Bosco Str. 1

83671 Benediktbeuern

Telefon +49 8857 88 506

www.ksfh.de



Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.



This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130605/21e41fce/attachment.html>

More information about the Users mailing list