[strongSwan] binding users to separate vpns

Martin Willi martin at strongswan.org
Tue May 13 14:26:51 CEST 2014


> Maybe someone know another way how to allow users to connect to 
> different vpns (different conn sections of configuration file)?

There is no direct way to map a list of users to a single connection.
Having a connection for each user could work, but that probably won't
scale that well.

Depending on the type of authentication you prefer, there are two
different ways how you could map users to groups:

      * If you authenticate users with IKE certificate authentication
        (machine certificates), you could go for Attribute Certificates.
        Windows does not have direct support for that, but you could
        import Attribute Certificates locally on strongSwan. See [1] for
        an acert example.
      * If you prefer to authenticate with username/password, go for
        EAP-MSCHAPv2 on Windows and a RADIUS backend server. This allows
        you to use an existing AAA backend. These usually provide a
        mechanism to map users to groups. This group information can be
        returned in the Class attribute to strongSwan to select the
        appropriate config. Refer to [2] for a RADIUS example.

Both ways yield group membership information for the authenticated
users, which you then can use to select a configuration using the
ipsec.conf rightgroups option.

Of course there are other ways to implement such a group selection
mechanism by writing a plugin. For example you could query a relational
database. There is currently no such plugin, though.



More information about the Users mailing list