[strongSwan] PLUTO_XAUTH_ID trustworthy (by cert)?
strongswan at tecnopolis.ca
Wed Feb 28 06:01:46 CET 2018
On 2018-02-27 Tobias Brunner wrote:
> Hi Trevor,
> > Is PLUTO_XAUTH_ID (as passed to a user-defined updown script) 100%
> Yes, it's trustworthy. While the client can send an arbitrary value,
> it has to match an identity in the certificate (either the subject DN
> or a SAN).
That's great news!
> > So I then tried user certs to select on EAP identity in the user
> > cert. Set that up then finally found a couple of emails/sites that
> > said strongswan can't switch conns based on identitiy.
> That's not entirely true. If you delegate the authentication to a
> RADIUS server it can send back class attributes that strongSwan can
> use to select configs (via rightgroups=<class>). That makes it easy
> to use different configs for multiple groups of users.
> But even without RADIUS you can match configs against EAP identities.
> It requires a dummy config that requests the EAP identities from the
> clients, though. Let's say you have two clients, one is
> trevor at foo.com and one is carol at foo.com, then you may configure the
That's even better! Great idea. I sure did a lot of searching and I
never found mention of that rightgroups trick. I just set it up and it
works! I had to add one more thing, though (for others reading this),
you have to add rightgroups= (i.e. blank) on the final matching conn
(i.e. eap-tls-trevor) or it will never match either.
eap_identity doesn't seem to allow wildcards (does it?) so I'll need a
conn for every single user. I was hoping to to group them with
wildcards, like email@example.com and
firstname.lastname@example.org. But that's ok, I'll just have a script
generate all the per-user stanzas for ipsec.conf.
There's no RADIUS server at our site, so that's a no go, so I'm glad I
don't require one to do this. Seems a pain to set one up just for this
> If carol connects now you'd see something like this in the log:
Yes, you're exactly right. I would never have guessed this approach
was possible, and in all my research I never found it documented. It
should be noted somewhere (though at least this email now documents it.
I still can't have it so I can access >1 connection type from the *same*
user in Windows 7, as they give you no way to pick which user cert is
used from the personal store (from what I can tell). However, I can
live with this limitation and setup a different Windows user for each
connection type I want. Works great!
My only other concern is now I have the exact same rightsourceip range
set in multiple conn stanzas (i.e. rightsourceip=10.1.1.0/24. I'm
hoping strongswan will lump identical rightsourceip's all together so
the first connection hitting eap-tls-trevor-roadwarrior gets, say,
10.1.1.1, and eap-tls-carol-roadwarrior (connecting while trevor is
still connected) gets 10.1.1.2 (and not 10.1.1.1!). i.e. the
rightsourceip ranges are considered/assigned globally, not per conn
I'm sure this must be the case, as I could easily have another
intermediate stanza, say eap-tls-shared-roadwarrior that
eap-tls-trevor-roadwarrior also's which contains the rightsourceip, in
which case it would not be duplicated in any other stanza, even though
it is used in many sub-stanzas.
Thanks so much! Having this working is really awesome. I learned way
more about ipsec + strongswan than I ever wanted to, but it was worth
it in the end. (The biggest problem being Windows is braindead.)
Is there a way to donate a modest amount to the project or to you
personally? You (and a few others) provide the best support I think
I've ever seen for an open source project. No small feat seeing as how
it's an insanely complex piece of software.
More information about the Users