[strongSwan] PLUTO_XAUTH_ID trustworthy (by cert)?

Tobias Brunner tobias at strongswan.org
Wed Feb 28 09:41:15 CET 2018

Hi Trevor,

>>> So I then tried user certs to select on EAP identity in the user
>>> cert. Set that up then finally found a couple of emails/sites that
>>> said strongswan can't switch conns based on identitiy.  
>> That's not entirely true.  If you delegate the authentication to a
>> RADIUS server it can send back class attributes that strongSwan can
>> use to select configs (via rightgroups=<class>).  That makes it easy
>> to use different configs for multiple groups of users.
>> But even without RADIUS you can match configs against EAP identities.
>> It requires a dummy config that requests the EAP identities from the
>> clients, though.  Let's say you have two clients, one is
>> trevor at foo.com and one is carol at foo.com, then you may configure the
>> following:
> That's even better!  Great idea.  I sure did a lot of searching and I
> never found mention of that rightgroups trick.  I just set it up and it
> works!  I had to add one more thing, though (for others reading this),
> you have to add rightgroups=  (i.e. blank) on the final matching conn
> (i.e. eap-tls-trevor) or it will never match either.

That probably depends on which connection you include with the also
keyword.  In my example only the eap-tls-init connection has rightgroups
set, which is not included in the other two connections (they include
the eap-tls-shared connection, which eap-tls-init also includes).  If
you define rightgroups in the shared connection or in conn %default you
do have to clear it in the "end" connections.

> eap_identity doesn't seem to allow wildcards (does it?) so I'll need a
> conn for every single user.  I was hoping to to group them with
> wildcards, like eap_identity=roadwarrior*@foo.com and
> eap_identity=proxy*@foo.com.

Wildcards are supported, but wildcards like above are currently not
supported by strongSwan at all.  In email addresses you can only match
domains, i.e. what would work is something like *@roadwarrior.foo.com
and *@proxy.foo.com.

> My only other concern is now I have the exact same rightsourceip range
> set in multiple conn stanzas (i.e. rightsourceip=  I'm
> hoping strongswan will lump identical rightsourceip's all together so
> the first connection hitting eap-tls-trevor-roadwarrior gets, say,
>, and eap-tls-carol-roadwarrior (connecting while trevor is
> still connected) gets (and not!). i.e. the
> rightsourceip ranges are considered/assigned globally, not per conn
> stanza.

Yes, the pools are merged (provided they are exactly the same in all the
connections, no matter if defined directly or included via also keyword
or conn %default).

> Is there a way to donate a modest amount to the project or to you
> personally?  You (and a few others) provide the best support I think
> I've ever seen for an open source project.  No small feat seeing as how
> it's an insanely complex piece of software.

Thanks.  We have a Bitcoin donation button on wiki.strongswan.org, but
that is currently defunct.  Maybe we can get that up again soon.


More information about the Users mailing list