[strongSwan] Ikev2 wildcards with MacOs clients

bls s bls3427 at outlook.com
Thu Oct 4 19:42:48 CEST 2018

Someone will likely explain why using certificates sucks, but if you use certificates (one for each client device) you'll have fine-grained user access control (by revoking/deleting certs), and you don't need to list all the enabled certs anywhere in your config file.
From: Users <users-bounces at lists.strongswan.org> on behalf of Matthieu Nantern <matthieu.nantern at margo.com>
Sent: Thursday, October 4, 2018 8:41 AM
To: users at lists.strongswan.org
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

Is it possible to have multiple email address in the “rightid“ parameter ? Maybe I can list all authorized users for each server instead of relying on Distinguished Names ?

Le mer. 3 oct. 2018 à 08:42, Matthieu Nantern <matthieu.nantern at margo.com<mailto:matthieu.nantern at margo.com>> a écrit :
Hi !

I installed StrongSwan to allow my users (mainly MacOs X clients) to use the native ikev2 authentication. Everything is working fine.

Now I would like to implement something like that : https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html ; allowing some clients to access some network and not the others.

Unfortunately I didn't see (or understand) the issue on that page (https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile) :

  *   ASN.1 Distinguished Names can't be used as identities because the client currently sends them as identities of type FQDN.

As a result when I put rightid in my configuration it's not working because MacOsX is only sending a fqdn (an email address in my case) and not the Distinguished Name.

My question is how can allow (or deny) some network to some user?

I have a file that associates email address to "role" but I don't know how to use it. Maybe a plugin?

Any ideas/links?

Thank you!

Matthieu Nantern


Matthieu Nantern
SRE, Margo Bank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181004/55d1c723/attachment.html>

More information about the Users mailing list