[strongSwan] Ikev2 wildcards with MacOs clients
Matthieu Nantern
matthieu.nantern at margo.com
Thu Oct 11 15:46:54 CEST 2018
It's working but I'm wondering if it's really secure ? A user can just
change its Remote ID and gain access to the other networks, no ?
I want something that is server side. I can create one connection for each
user but it's ugly !
Le lun. 8 oct. 2018 à 21:05, bls s <bls3427 at outlook.com> a écrit :
> Definitely interested in seeing it replicated. As an aside, I updated my
> CA management app https://github.com/gitbls/pistrong with more
> flexibility to generate this type of VPN cert. Unfortunately, it’s fully
> built around swanctl/systemd, not the legacy ipsec/ipsec.conf/…
> configuration. But, if you run into any issues, happy to help you wrangle
> it into debug mode to use that part of the tool.
>
>
>
> *From: *Matthieu Nantern <matthieu.nantern at margo.com>
> *Sent: *Sunday, October 7, 2018 11:23 PM
> *To: *bls3427 at outlook.com
> *Cc: *users at lists.strongswan.org
> *Subject: *Re: [strongSwan] Ikev2 wildcards with MacOs clients
>
>
> Very good idea ! I will try that this week and will let you know if it
> works !
>
> Thank you !
>
> Le dim. 7 oct. 2018 à 00:17, bls s <bls3427 at outlook.com> a écrit :
>
>> I just did a quick test using my iPhone, and it appears to work just
>> fine. Using 2 strongSwan profiles, each profile has a different VPN cert,
>> with different altNames in the cert. By changing the Remote ID on iOS I was
>> able to authenticate with each of the 2 profiles.
>>
>>
>>
>> *From: *bls s <bls3427 at outlook.com>
>> *Sent: *Friday, October 5, 2018 6:54 AM
>> *To: *Matthieu Nantern <matthieu.nantern at margo.com>
>> *Cc: *users at lists.strongswan.org
>> *Subject: *Re: [strongSwan] Ikev2 wildcards with MacOs clients
>>
>>
>> I haven't looked into this in detail, but could you use different VPN
>> certs for each subnet? Each VPN cert would be in a different conn section,
>> and they would have different altNames (SAN). If I understand the MacOS VPN
>> config correctly (looks a lot like iOS), when certs are installed onto
>> MacOS, you can specify the Remote ID, which is the SAN that matches that of
>> the VPN cert.
>>
>> From: Matthieu Nantern <matthieu.nantern at margo.com>
>> Sent: Thursday, October 4, 2018 11:31 PM
>> To: bls3427 at outlook.com
>> Cc: users at lists.strongswan.org
>> Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients
>>
>> We are using certificates (one for each client device) but I have 2
>> networks: n1 and n2. And I want that some users can access n1 and others n1
>> + n2.
>>
>>
>> I wanted to make the distinction by using a conf like that:
>>
>>
>> conn alice
>> leftsubnet=10.1.0.10/32
>> right=%any
>> rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
>> auto=add
>>
>> conn venus
>> leftsubnet=10.1.0.20/32
>> right=%any
>> rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
>> auto=add
>> But unfortunately with MacOs client I don't have the Distinguished Names
>> but only the FQDN:
>>
>>
>> ikev2-pubkey[1216]: ESTABLISHED 2 minutes ago, 10.8.1.113[vpn.test.net
>> ]...213.41.12.162[firstname.lastname at test.com]
>> ikev2-pubkey{2102}: INSTALLED, TUNNEL, reqid 325, ESP in UDP SPIs:
>> c4d64307_i 0c4df008_o
>>
>>
>> And if you compare that with the StrongSwan Android client:
>>
>>
>> ikev2-pubkey[1217]: ESTABLISHED 4 seconds ago, 10.8.1.113[vpn.test.net]...213.41.12.162[C=FR,
>> O=Test, OU=Prod, CN=firstname.lastname at test.com]
>> ikev2-pubkey{2103}: INSTALLED, TUNNEL, reqid 326, ESP in UDP SPIs:
>> c3b37b06_i be7247e0_o
>>
>>
>> So I cannot route my users according to their certificates and I was
>> wondering what can I do ?
>>
>>
>>
>> Le jeu. 4 oct. 2018 à 19:42, bls s <bls3427 at outlook.com> a écrit :
>>
>> Someone will likely explain why using certificates sucks, but if you use
>> certificates (one for each client device) you'll have fine-grained user
>> access control (by revoking/deleting certs), and you don't need to list all
>> the enabled certs anywhere in your config file.
>> From: Users <users-bounces at lists.strongswan.org> on behalf of Matthieu
>> Nantern <matthieu.nantern at margo.com>
>> Sent: Thursday, October 4, 2018 8:41 AM
>> To: users at lists.strongswan.org
>> Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients
>>
>> Is it possible to have multiple email address in the “rightid“ parameter
>> ? Maybe I can list all authorized users for each server instead of relying
>> on Distinguished Names ?
>>
>>
>>
>> Le mer. 3 oct. 2018 à 08:42, Matthieu Nantern <matthieu.nantern at margo.com>
>> a écrit :
>>
>> Hi !
>>
>>
>> I installed StrongSwan to allow my users (mainly MacOs X clients) to use
>> the native ikev2 authentication. Everything is working fine.
>>
>>
>> Now I would like to implement something like that :
>> https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html
>> ; allowing some clients to access some network and not the others.
>>
>>
>> Unfortunately I didn't see (or understand) the issue on that page (
>> https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile) :
>>
>>
>> ASN.1 Distinguished Names can't be used as identities because the client
>> currently sends them as identities of type FQDN.
>>
>>
>> As a result when I put rightid in my configuration it's not working
>> because MacOsX is only sending a fqdn (an email address in my case) and not
>> the Distinguished Name.
>>
>>
>>
>> My question is how can allow (or deny) some network to some user?
>>
>>
>>
>> I have a file that associates email address to "role" but I don't know
>> how to use it. Maybe a plugin?
>>
>>
>> Any ideas/links?
>>
>>
>> Thank you!
>>
>> --
>>
>> Matthieu Nantern
>>
>>
>> --
>>
>> Matthieu Nantern
>> SRE, Margo Bank
>> +33683148506
>>
>>
>> --
>>
>> Matthieu Nantern
>> SRE, Margo Bank
>> +33683148506
>>
>
>
> --
>
> Matthieu Nantern
> SRE, Margo Bank
> +33683148506
>
>
--
Matthieu Nantern
SRE, Margo Bank
+33683148506
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181011/3fe42486/attachment.html>
More information about the Users
mailing list