[strongSwan] PLUTO_XAUTH_ID trustworthy (by cert)?

Wed Feb 28 06:01:46 CET 2018

On 2018-02-27 Tobias Brunner wrote:
> Hi Trevor,
> 
> > Is PLUTO_XAUTH_ID (as passed to a user-defined updown script) 100%
> 
> Yes, it's trustworthy.  While the client can send an arbitrary value,
> it has to match an identity in the certificate (either the subject DN
> or a SAN).

That's great news!

> > So I then tried user certs to select on EAP identity in the user
> > cert. Set that up then finally found a couple of emails/sites that
> > said strongswan can't switch conns based on identitiy.  
> 
> That's not entirely true.  If you delegate the authentication to a
> RADIUS server it can send back class attributes that strongSwan can
> use to select configs (via rightgroups=<class>).  That makes it easy
> to use different configs for multiple groups of users.
> 
> But even without RADIUS you can match configs against EAP identities.
> It requires a dummy config that requests the EAP identities from the
> clients, though.  Let's say you have two clients, one is
> trevor at foo.com and one is carol at foo.com, then you may configure the
> following:

That's even better!  Great idea.  I sure did a lot of searching and I
never found mention of that rightgroups trick.  I just set it up and it
works!  I had to add one more thing, though (for others reading this),
you have to add rightgroups=  (i.e. blank) on the final matching conn
(i.e. eap-tls-trevor) or it will never match either.

eap_identity doesn't seem to allow wildcards (does it?) so I'll need a
conn for every single user.  I was hoping to to group them with
wildcards, like eap_identity=roadwarrior*@foo.com and
eap_identity=proxy*@foo.com.  But that's ok, I'll just have a script
generate all the per-user stanzas for ipsec.conf.

There's no RADIUS server at our site, so that's a no go, so I'm glad I
don't require one to do this.  Seems a pain to set one up just for this
purpose :-)

> If carol connects now you'd see something like this in the log:

Yes, you're exactly right.  I would never have guessed this approach
was possible, and in all my research I never found it documented.  It
should be noted somewhere (though at least this email now documents it.

I still can't have it so I can access >1 connection type from the *same*
user in Windows 7, as they give you no way to pick which user cert is
used from the personal store (from what I can tell).  However, I can
live with this limitation and setup a different Windows user for each
connection type I want.  Works great!

My only other concern is now I have the exact same rightsourceip range
set in multiple conn stanzas (i.e. rightsourceip=10.1.1.0/24.  I'm
hoping strongswan will lump identical rightsourceip's all together so
the first connection hitting eap-tls-trevor-roadwarrior gets, say,
10.1.1.1, and eap-tls-carol-roadwarrior (connecting while trevor is
still connected) gets 10.1.1.2 (and not 10.1.1.1!). i.e. the
rightsourceip ranges are considered/assigned globally, not per conn
stanza.

I'm sure this must be the case, as I could easily have another
intermediate stanza, say eap-tls-shared-roadwarrior that
eap-tls-trevor-roadwarrior also's which contains the rightsourceip, in
which case it would not be duplicated in any other stanza, even though
it is used in many sub-stanzas.

Thanks so much!  Having this working is really awesome.  I learned way
more about ipsec + strongswan than I ever wanted to, but it was worth
it in the end.  (The biggest problem being Windows is braindead.)

Is there a way to donate a modest amount to the project or to you
personally?  You (and a few others) provide the best support I think
I've ever seen for an open source project.  No small feat seeing as how
it's an insanely complex piece of software.