[strongSwan] server/client scenario with rsa auth or rsa plus xauth across all types of clients?

Cindy Moore ctmoore at cs.ucsd.edu
Fri Sep 19 20:45:22 CEST 2014 

I wanted to step back and take a bigger picture look, because I feel
like I'm getting really snarled in the middle of tiny details while
possibly missing bigger issues.


What I have:

vpn server: Ubuntu 14.04 deploying the latest StrongSwan version in
14.04's repositories.

clients: roadwarrior types: could be mac/windows/linux laptops, maybe
some home desktops, possibly also android or apple devices, either
tablets or phones.  The devices are not nearly as important.

network: vpn and nat (separate severs) are on our public vlans.  the
virtual ips are a small range of addresses within our private vlan
networks that we'll dedicate to the vpn server's use.  The rest of the
addresses are assigned to other servers, machines, etc. physically
present on those vlans.


What' I'd like to do:

Assign any particular client (we have maybe 50 or so) to a static
virtual ip address, that is to say each time BobClient.pem/equivalent
connects, he gets the same virtual ip address.

Ideally, I'd love for them all to authenticate via RSA certificate.
I'd like to be able to accept either ikev1 or ikev2 connections.  (I
now understand the presence of mac/apple means I must have ikev1).

I could also go with everyone must RSA cert authenticate, then xauth
via the xauth-pam module, but I'm not going to recompile strongswan
for that module unless I know that's possible to get it to work with
all the possible clients I have.  If I must, it could be RSA plus
xauth via ipsec.secrets. But the vpn server is set up to authenticate
logins via pam to our ldap and it'd be cool to hook into that if
possible.

Anyway, ideally everyone would authenticate the same way.   I don't
want Carol asking me, "Well gee, Bob doesn't need username/password,
how come I have to do that?"



How I thought I'd approach this:

First I thought I'd try to set up as generic as possible connections
that would work for all of them (setting aside the static virtual ip
for the moment).

My question -- is this possible?  Is there some minimal roadwarrior
conn definition that all of these laptops/devices could all connect
to?  *Can* they all connect rsa only or rsa+xauth?

I'm trying to use native apps client side wherever possible, as I want
to minimize the work on the clients' end.  But it seems like between
the native apps and the various plugins or apps (eg
network-manager-strongswan, android strongswan app), I may have to
have at least two types of conns because of different authentication
types available/restrictions?

Obviously, if I want ikev2 connections, I will have to have a minimum
of two base conns because of mac/apple -- any other gotchas?  I don't
want to use the mac app since it looks like that forces me to use EAP.

Then once I got my minimum set of generic conns working for all the
roadwarrior types,  I could start making individualized conns, etc,
something like:

conn roadwarrior-bob
    also "basic-roadwarrior"
    right=bobCert.pem    # or maybe rightid="...CN=bob at client.com"  ?
    rightsourceip=1.2.3.6

conn roadwarrior-carol
    also "basic-roadwarrior"
    right=carolCert.pem # etc
    rightsourceip=1.2.3.7

and so on.  If someone didn't have an individualized conn, they could
drop down into a catchall conn that would dynamically assign a virtual
ip.


How feasible is this?

More information about the Users mailing list