[strongSwan] Restrict reachable IP address space (IKEv2-EAP VPN)

Peter Benko pbopbo at freemail.hu
Wed Jan 17 16:14:56 CET 2018

Hi all,

I have a working strongswan IKEv2-EAP VPN setup, where remote (windows) clients connect to a corporate LAN.

Now I'd like to select certain 'restricted' users that are only able to access a single IP address on the corporate network. My initial idea is to use iptables rules for that on the VPN server. For this to work, I'd need a separate client IP address range allocated for these 'restricted' users. How can I do this? Is it possible to define a separate connection in ipsec.conf based on e.g., server DNS name (e.g., vpn-resticted.domain.com instead of vpn.domain.com)? In this 'restricted' connection, I could define a different rightsourceip range, which I could use in the iptables rules... But how could I prevent clients connecting to the unrestricted vpn.domain.com?

Or am I completely wrong here? Is there maybe a more straightforward way to achive my high level goal?



More information about the Users mailing list