[strongSwan] local_ts based on user/group

Christian Salway christian.salway at naimuri.com
Thu Oct 31 00:32:39 CET 2019 

One possible way I can see this working is by using the _updown script to set firewall rules and set the local_ts with all private networks addresses...


up-client:)
	# connection to my client subnet coming up
	# If you are doing a custom version, firewall commands go here.		
	;;		
down-client:)
	# connection to my client subnet going down
	# If you are doing a custom version, firewall commands go here.
	;;


https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/_updown/_updown.in#L224 <https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/_updown/_updown.in#L224>


> On 30 Oct 2019, at 23:20, Christian Salway <christian.salway at naimuri.com> wrote:
> 
> Hello,
> 
> 
> Is it possible to dynamically set the local_ts based on the group the user is a member of?
> 
> 
> I have 3 private networks and 1 public network that holds the strongSwan VPN server.  From the public network, I can access each private network.
> 
> When Carol connects to the VPN, I only want her to be able to access private networks 1 and 2.
> When David connects to the VPN, I only want him to be able to access private networks 2 and 3.
> When Anna connects, she can access all networks.
> 
> Can you think of how this can be done in anyway using strongSwan?  The problem I am facing is dynamically setting the local_ts before SS sends the routes to the client.
> 
> This is my configuration so far:
> 
> 
> echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/ip_forward.conf
> sysctl -p /etc/sysctl.d/ip_forward.conf
> 
> iptables -t nat -A POSTROUTING -s ${CLIENT_ADDR_POOL} -o eth0 -j MASQUERADE
> iptables-save > /etc/sysconfig/iptables
> 
> sed -i "s|# \(install_routes\).*$|\1 = no|" /etc/strongswan/strongswan.d/charon.conf
> 
> cat <<EOF > /etc/strongswan/swanctl/swanctl.conf
> connections {
>     conn {
>         version = 2
>         send_cert = always
>         unique = replace
>         rekey_time = 10h
>         dpd_delay = 1m
>         local {
>             auth = pubkey
>             certs = vpnserver.crt
>             id = ${SERVER_FQDNAME}
>         }
>         remote {
>             auth = eap-mschapv2
>             eap_id = %any
>             # groups = ${AAA_GROUP}
>         }
>         children {
>             child {
>                 local_ts = ${CIDR_A}, ${CIDR_B}, ${CIDR_C}
>                 # updown = /usr/libexec/strongswan/_updown iptables
>             }
>         }
>         pools = pool
>     }
> }
> pools {
>     pool {
>         addrs = ${CLIENT_ADDR_POOL}
>     }
> }
> secrets {
>     eap-test {
>       id = test
>       secret = Test123
>     }
> }
> include conf.d/*.conf
> EOF
> 
> systemctl start strongswan-swanctl
> systemctl enable strongswan-swanctl
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191030/23caeb62/attachment-0001.html>

More information about the Users mailing list