Join Log in
Score:0
alex avatar Server

How to link ipsec clients with different connections in StrongSwan?

my flag
alex

I use strongswan ipsec as VPN gateway for mobile devices (Android). In StrongSwan config I've setup 2 connections (two different subnets 10.10.10.0/24, 10.10.20.0/24 with different routing policies) for 2 different groups of users.

And I don't understand (and can't find in manuals and forums) how to link user with connection. Where and how to setup a strict user>connection relation ?

Thank you!

My ipsec config:

cat /etc/ipsec.conf

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no
conn any2ex
    auto=add
    compress=yes
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=*.*.233.132 #I've masked server IP for this post. Certificate was issued for the ip address.
    left=*.*.233.132  
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity

conn ex2loc
    auto=add
    compress=yes
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=*.*.233.132
    leftid=*.*.233.132
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.20.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity

I configure Android clients with this

https://docs.strongswan.org/strongswan-docs/5.9/os/androidVpnClientProfiles.html#_example

55
0 + 0
vpn
cn flag
ecdsa
Cross posted [here](https://github.com/strongswan/strongswan/discussions/974).
0
Reply
Score:0
Peter Zhabin avatar Server
cn flag
Peter Zhabin

The connection choice is based on rightid and depends on what is used as IKE identity by the client. If your users present RFC822_ADDR as identity, you can use some sort of a wildcard with * on rightid instead of %any to differentiate them.

0 + 0
alex avatar
my flag
alex
Thank you for your comment! I use EAP login-password authentication ( /etc/ipsec.secrets with `test : EAP "test"`) so the user's rightid is user's login, as far as I understand. Is it possible somehow to group users? (instead cretaing connection for each user)
0
Reply
Peter Zhabin avatar
cn flag
Peter Zhabin
There's no direct groups support on these attributes, but you can fake one with user naming convention, i.e. user-group and then use the wildcard as suggested above. Or go full RADIUS and use plugins that would set connection per RADIUS attributes.
0
Reply
alex avatar
my flag
alex
Thank you, could you please provide an exmaple. I'm playing wildcards, but still not working and I have no idea why :(
0
Reply
Score:0
alex avatar Server
my flag
alex

In /etc/ipsec.conf

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no
conn net1
    ...
    rightid=*@net1.com
    ... 
conn net2
    ...
    rightid=*@net2.com
    ...

And then in /etc/ipsec.secrets

[email protected] : EAP "user_password"
[email protected] : EAP "user_password"

With this configs [email protected] will be connected to net1, and [email protected] to net2 accordingly.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.