[strongSwan] Ikev2 wildcards with MacOs clients
Matthieu Nantern
matthieu.nantern at margo.com
Fri Oct 5 08:31:06 CEST 2018
We are using certificates (one for each client device) but I have 2
networks: n1 and n2. And I want that some users can access n1 and others n1
+ n2.
I wanted to make the distinction by using a conf like that:
conn alice
leftsubnet=10.1.0.10/32
right=%any
rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
auto=add
conn venus
leftsubnet=10.1.0.20/32
right=%any
rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
auto=add
But unfortunately with MacOs client I don't have the Distinguished Names
but only the FQDN:
ikev2-pubkey[1216]: ESTABLISHED 2 minutes ago, 10.8.1.113[vpn.test.net
]...213.41.12.162[firstname.lastname at test.com]
ikev2-pubkey{2102}: INSTALLED, TUNNEL, reqid 325, ESP in UDP SPIs:
c4d64307_i 0c4df008_o
And if you compare that with the StrongSwan Android client:
ikev2-pubkey[1217]: ESTABLISHED 4 seconds ago,
10.8.1.113[vpn.test.net]...213.41.12.162[C=FR,
O=Test, OU=Prod, CN=firstname.lastname at test.com]
ikev2-pubkey{2103}: INSTALLED, TUNNEL, reqid 326, ESP in UDP SPIs:
c3b37b06_i be7247e0_o
So I cannot route my users according to their certificates and I was
wondering what can I do ?
Le jeu. 4 oct. 2018 à 19:42, bls s <bls3427 at outlook.com> a écrit :
> Someone will likely explain why using certificates sucks, but if you use
> certificates (one for each client device) you'll have fine-grained user
> access control (by revoking/deleting certs), and you don't need to list all
> the enabled certs anywhere in your config file.
> ------------------------------
> *From:* Users <users-bounces at lists.strongswan.org> on behalf of Matthieu
> Nantern <matthieu.nantern at margo.com>
> *Sent:* Thursday, October 4, 2018 8:41 AM
> *To:* users at lists.strongswan.org
> *Subject:* Re: [strongSwan] Ikev2 wildcards with MacOs clients
>
> Is it possible to have multiple email address in the “rightid“ parameter ?
> Maybe I can list all authorized users for each server instead of relying on
> Distinguished Names ?
>
> Le mer. 3 oct. 2018 à 08:42, Matthieu Nantern <matthieu.nantern at margo.com>
> a écrit :
>
> Hi !
>
> I installed StrongSwan to allow my users (mainly MacOs X clients) to use
> the native ikev2 authentication. Everything is working fine.
>
> Now I would like to implement something like that :
> https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html
> ; allowing some clients to access some network and not the others.
>
> Unfortunately I didn't see (or understand) the issue on that page (
> https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile) :
>
>
> - ASN.1 Distinguished Names can't be used as identities because the
> client currently sends them as identities of type FQDN.
>
>
> As a result when I put rightid in my configuration it's not working
> because MacOsX is only sending a fqdn (an email address in my case) and not
> the Distinguished Name.
>
> My question is how can allow (or deny) some network to some user?
>
> I have a file that associates email address to "role" but I don't know how
> to use it. Maybe a plugin?
>
> Any ideas/links?
>
> Thank you!
> --
>
> Matthieu Nantern
>
>
>
> --
>
> Matthieu Nantern
> SRE, Margo Bank
> +33683148506
>
>
--
Matthieu Nantern
SRE, Margo Bank
+33683148506
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181005/3e54e2bd/attachment-0001.html>
More information about the Users
mailing list