[strongSwan] local_ts based on user/group
Christian Salway
christian.salway at naimuri.com
Thu Oct 31 00:20:53 CET 2019
Hello,
Is it possible to dynamically set the local_ts based on the group the user is a member of?
I have 3 private networks and 1 public network that holds the strongSwan VPN server. From the public network, I can access each private network.
When Carol connects to the VPN, I only want her to be able to access private networks 1 and 2.
When David connects to the VPN, I only want him to be able to access private networks 2 and 3.
When Anna connects, she can access all networks.
Can you think of how this can be done in anyway using strongSwan? The problem I am facing is dynamically setting the local_ts before SS sends the routes to the client.
This is my configuration so far:
echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/ip_forward.conf
sysctl -p /etc/sysctl.d/ip_forward.conf
iptables -t nat -A POSTROUTING -s ${CLIENT_ADDR_POOL} -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
sed -i "s|# \(install_routes\).*$|\1 = no|" /etc/strongswan/strongswan.d/charon.conf
cat <<EOF > /etc/strongswan/swanctl/swanctl.conf
connections {
conn {
version = 2
send_cert = always
unique = replace
rekey_time = 10h
dpd_delay = 1m
local {
auth = pubkey
certs = vpnserver.crt
id = ${SERVER_FQDNAME}
}
remote {
auth = eap-mschapv2
eap_id = %any
# groups = ${AAA_GROUP}
}
children {
child {
local_ts = ${CIDR_A}, ${CIDR_B}, ${CIDR_C}
# updown = /usr/libexec/strongswan/_updown iptables
}
}
pools = pool
}
}
pools {
pool {
addrs = ${CLIENT_ADDR_POOL}
}
}
secrets {
eap-test {
id = test
secret = Test123
}
}
include conf.d/*.conf
EOF
systemctl start strongswan-swanctl
systemctl enable strongswan-swanctl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191030/e849396b/attachment.html>
More information about the Users
mailing list