[strongSwan] local_ts based on user/group

Christian Salway christian.salway at naimuri.com
Thu Oct 31 00:20:53 CET 2019


Hello,


Is it possible to dynamically set the local_ts based on the group the user is a member of?


I have 3 private networks and 1 public network that holds the strongSwan VPN server.  From the public network, I can access each private network.

When Carol connects to the VPN, I only want her to be able to access private networks 1 and 2.
When David connects to the VPN, I only want him to be able to access private networks 2 and 3.
When Anna connects, she can access all networks.

Can you think of how this can be done in anyway using strongSwan?  The problem I am facing is dynamically setting the local_ts before SS sends the routes to the client.

This is my configuration so far:


echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/ip_forward.conf
sysctl -p /etc/sysctl.d/ip_forward.conf

iptables -t nat -A POSTROUTING -s ${CLIENT_ADDR_POOL} -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables

sed -i "s|# \(install_routes\).*$|\1 = no|" /etc/strongswan/strongswan.d/charon.conf

cat <<EOF > /etc/strongswan/swanctl/swanctl.conf
connections {
    conn {
        version = 2
        send_cert = always
        unique = replace
        rekey_time = 10h
        dpd_delay = 1m
        local {
            auth = pubkey
            certs = vpnserver.crt
            id = ${SERVER_FQDNAME}
        }
        remote {
            auth = eap-mschapv2
            eap_id = %any
            # groups = ${AAA_GROUP}
        }
        children {
            child {
                local_ts = ${CIDR_A}, ${CIDR_B}, ${CIDR_C}
                # updown = /usr/libexec/strongswan/_updown iptables
            }
        }
        pools = pool
    }
}
pools {
    pool {
        addrs = ${CLIENT_ADDR_POOL}
    }
}
secrets {
    eap-test {
      id = test
      secret = Test123
    }
}
include conf.d/*.conf
EOF

systemctl start strongswan-swanctl
systemctl enable strongswan-swanctl


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191030/e849396b/attachment.html>


More information about the Users mailing list