On Wed, 22 Apr 2015, Jonas Trollvik wrote:
I have a connection that looks like the following
conn xauth-rsa
authby=secret
pfs=no
auto=add
rekey=no
left=<my ip>
leftid=<my id>
leftsendcert=always
leftsubnet=0.0.0.0/0
rightaddresspool=192.168.42.100-192.168.42.250
right=%any
modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
ike-frag=yes
xauthby=file
The connection works fine from macosx, however what I would like to do
is set a static ip for certain connecting clients. Either based on
group id, xauth username or shared secret.
Currently, our only option would be add a new connection with a different group
id. But it would require aggressive mode, and with PSK's that's really
the least secure setup :/
You'd have a better chance of getting this working when using
certificates, as you then should be able to match conns bassed on cert
IDs (but untested by me)
I guess it would be nice if we had a feature where the addresspool code
that remembers previously handed out IPs could be "pre-loaded" with some
ID-IP mappings. Anyone with some spare time on their hands? :)
Also I would like to enable split tunneling, how would one do this,
currently all traffic is routed throught the vpn (there is no option
in the built in macos client to turn this off), I would only like to
route through certain ip ranges, is it possible to control this from
libreswan?
That is unfortunately only implemented as a client, not as a server. It
mostly involves dealing with sending the right XAUTH payloads on the
server side, and possibly some tweaks to add multiple SA's instead of
only one SA. It would use the leftsubnets={} syntax to specify these.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
