[strongSwan] Restrict reachable IP address space (IKEv2-EAP VPN)

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Jan 19 15:09:39 CET 2018


The proper solution is to use either ...
1) attribute certificates that certifify group membership for the client
2) Use a AAA service (RADIUS!) to get group memberships from the user directory

Then use rightgroups to switch conns based on the user's group membership.

Kind regards


On 17.01.2018 16:14, Peter Benko wrote:
> Hi all,
> I have a working strongswan IKEv2-EAP VPN setup, where remote (windows) clients connect to a corporate LAN.
> Now I'd like to select certain 'restricted' users that are only able to access a single IP address on the corporate network. My initial idea is to use iptables rules for that on the VPN server. For this to work, I'd need a separate client IP address range allocated for these 'restricted' users. How can I do this? Is it possible to define a separate connection in ipsec.conf based on e.g., server DNS name (e.g., vpn-resticted.domain.com instead of vpn.domain.com)? In this 'restricted' connection, I could define a different rightsourceip range, which I could use in the iptables rules... But how could I prevent clients connecting to the unrestricted vpn.domain.com?
> Or am I completely wrong here? Is there maybe a more straightforward way to achive my high level goal?
> Thanks,
> Peter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180119/65d4ed81/attachment.sig>

More information about the Users mailing list