[strongSwan] Certificate Based Routing

Paton, Andy andy.paton at hp.com
Wed Jun 5 11:35:37 CEST 2013 

Uli,

Thank you for the response.

I think this certainly would work to achieve what I need but I don't think it would Scale well....

If we say had 3 backend subnets, there are 7 IP address pools that potentially need firewalling... I am looking at the potential of having 10+ backends.

I wonder if there are any more scalable options?

Regards,

Andy Paton
Business Development Solution Architect
HP Enterprise Services

From: Ulrich Schinz [mailto:ulrich.schinz at ksfh.de]
Sent: 05 June 2013 10:20
To: Paton, Andy; users at lists.strongswan.org
Subject: Re: [strongSwan] Certificate Based Routing

Hey Andy,

maybe this helps a bit. I tried something similar, I tried to establish a "group"-system based on my certificates. So here my server-config:

conn group1
        left=192.168.0.200
        leftcert=vpnserver.crt
        leftsubnet=192.168.5.0/24
        leftid=vpnserver.of.our.company.fqdn
        leftfirewall=yes
        right=%any
        rightid="DC=de, DC=company, O=Companyname, OU=group1 certificate, CN=*"
        rightsourceip=10.0.50.0/24
        auto=add

conn group2
        left=192.168.0.200
        leftcert=vpnserver.crt
        leftsubnet=192.168.5.0/24,192.168.3.0/24
        leftid=vpnserver.of.our.company.fqdn
        leftfirewall=yes
        right=%any
        rightid="DC=de, DC=company, O=Companyname, OU=group2 certificate, CN=*"
        rightsourceip=10.0.0.0/24
        auto=add

So now generating different certificates with right ids should bring you in the correct subnet.
Further, by chosing a rightsourceip you can configure your firewall to accept connections to some hosts depending on
senders address. In config I have different rightsourceips defined...

Your firewallsettings can be edited or configured. The defaut script for that is tha updown-script of strongswan. On debian
wheezy I could find it in /usr/libexec/ipsec/_updown

Hope this helps.
Kind regards
Uli


Am 05.06.2013 10:36, schrieb Paton, Andy:
I am trying to design a unified VPN gateway - by unified i mean one VPN headend, which can handle connections to multiple backends. I have a VM with a number of NiC's attached:
eth0 - Front Facing IP of Headend 10.1.0.2/30 eth1 - Backend Resource grouup A 172.18.81.137/24 eth2 - Backend Resource group B 162.18.81.137/24
So the intention is to configure the VPN connection to inspect a device/user certificate (x509) and route to the backend resource according to an ACL.
So for example -
Joe Bloggs is permitted to access resources on both backend A & B. Mickey Mouse is permitted to access only resources on backend B.
Joe Bloggs establishes VPN connection to the headend, and attempts to connect to a resource: 172.17.81.142 for example, on resource group A. Based on the Joe's certificate he should be routed accordingly for this request.
If Mickey mouse attempts to access the same resource, because the certificate doesn't permit access - then Strongswan should block access to this IP address.
How might i go about configuring strongswan to do this?
Current config looks like this - for dropping resources onto a single subnet:
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        crlcheckinterval=180
    strictcrlpolicy=no
    plutostart=no

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    ike=aes256-sha256-modp1024!
    esp=aes256-sha256-modp1024!

conn rw
    #left=10.1.0.2
    leftcert=supermanCert.der
    leftid="CN=EN, O=JusticeLeague, CN=Metropolis"
    leftsubnet=172.17.81.137/27
    leftfirewall=yes
    right=%any
    rightsourceip=10.3.100.0/24
    rightid=%any
    keyexchange=ikev2
    auto=add


Andy Paton
Business Development Solution Architect
HP Enterprise Services





_______________________________________________

Users mailing list

Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>

https://lists.strongswan.org/mailman/listinfo/users




--

Ulrich Schinz





ulrich.schinz at ksfh.de<mailto:ulrich.schinz at ksfh.de>



___________________________________________







Katholische Stiftungsfachhochschule München



Abteilung Benediktbeuern



Don Bosco Str. 1



83671 Benediktbeuern



Telefon +49 8857 88 506



www.ksfh.de<http://www.ksfh.de>







Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.







This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130605/07a1bb28/attachment.html>

More information about the Users mailing list