0

I use strongswan ipsec as VPN gateway for mobile devices (Android). In StrongSwan config I've setup 2 connections (two different subnets 10.10.10.0/24, 10.10.20.0/24 with different routing policies) for 2 different groups of users.

And I don't understand (and can't find in manuals and forums) how to link user with connection. Where and how to setup a strict user>connection relation ?

Thank you!

My ipsec config:

cat /etc/ipsec.conf

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no
conn any2ex
    auto=add
    compress=yes
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=*.*.233.132 #I've masked server IP for this post. Certificate was issued for the ip address.
    left=*.*.233.132  
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity

conn ex2loc
    auto=add
    compress=yes
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=*.*.233.132
    leftid=*.*.233.132
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.20.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity

I configure Android clients with this

https://docs.strongswan.org/strongswan-docs/5.9/os/androidVpnClientProfiles.html#_example

alex
  • 101
  • 2

2 Answers2

0

The connection choice is based on rightid and depends on what is used as IKE identity by the client. If your users present RFC822_ADDR as identity, you can use some sort of a wildcard with * on rightid instead of %any to differentiate them.

Peter Zhabin
  • 2,696
  • 9
  • 10
  • Thank you for your comment! I use EAP login-password authentication ( /etc/ipsec.secrets with `test : EAP "test"`) so the user's rightid is user's login, as far as I understand. Is it possible somehow to group users? (instead cretaing connection for each user) – alex Mar 31 '22 at 09:03
  • There's no direct groups support on these attributes, but you can fake one with user naming convention, i.e. user-group and then use the wildcard as suggested above. Or go full RADIUS and use plugins that would set connection per RADIUS attributes. – Peter Zhabin Mar 31 '22 at 12:46
  • Thank you, could you please provide an exmaple. I'm playing wildcards, but still not working and I have no idea why :( – alex Apr 01 '22 at 05:53
0

In /etc/ipsec.conf

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no
conn net1
    ...
    rightid=*@net1.com
    ... 
conn net2
    ...
    rightid=*@net2.com
    ...

And then in /etc/ipsec.secrets

user1@net1.com : EAP "user_password"
user1@net2.com : EAP "user_password"

With this configs user1@net1.com will be connected to net1, and user1@net2.com to net2 accordingly.

alex
  • 101
  • 2