Am 22.04.2015 um 20:24 schrieb Paul Wouters:
On Wed, 22 Apr 2015, Jonas Trollvik wrote:
I have a connection that looks like the following
conn xauth-rsa
authby=secret
pfs=no
auto=add
rekey=no
left=<my ip>
leftid=<my id>
leftsendcert=always
leftsubnet=0.0.0.0/0
rightaddresspool=192.168.42.100-192.168.42.250
right=%any
modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
ike-frag=yes
xauthby=file
The connection works fine from macosx, however what I would like to do
is set a static ip for certain connecting clients. Either based on
group id, xauth username or shared secret.
Currently, our only option would be add a new connection with a
different group
id. But it would require aggressive mode, and with PSK's that's really
the least secure setup :/
You'd have a better chance of getting this working when using
certificates, as you then should be able to match conns bassed on cert
IDs (but untested by me)
I have tested this for a while and it should work.
I have also made a patch for "this special feature", where you are able
to configure an ip per user in /etc/passwd, if you really need PSK
connections.
user:password:connection[:ip or from-to ip range]
Maybe you will try it.
I guess it would be nice if we had a feature where the addresspool code
that remembers previously handed out IPs could be "pre-loaded" with some
ID-IP mappings. Anyone with some spare time on their hands? :)
Also I would like to enable split tunneling, how would one do this,
currently all traffic is routed throught the vpn (there is no option
in the built in macos client to turn this off), I would only like to
route through certain ip ranges, is it possible to control this from
libreswan?
That is unfortunately only implemented as a client, not as a server. It
mostly involves dealing with sending the right XAUTH payloads on the
server side, and possibly some tweaks to add multiple SA's instead of
only one SA. It would use the leftsubnets={} syntax to specify these.
Wolfgang
--- libreswan-3.12/programs/pluto/ikev1_xauth.c 2014-12-08 10:33:07.000000000
+0100
+++ libreswan-3.12/programs/pluto/ikev1_xauth.c 2014-12-08 10:32:54.000000000
+0100
@@ -112,6 +112,7 @@
char *name;
char *password;
char *connname;
+ char *ipaddr;
st_jbuf_t *ptr;
};
@@ -1216,6 +1217,9 @@
char *userid;
char *passwdhash;
char *connectionname = NULL;
+ char *addresspool = NULL;
+ struct connection *c = arg->st->st_connection;
+ ip_range *pool_range;
lineno++;
@@ -1242,20 +1246,32 @@
/* get password hash */
passwdhash = p;
p = strchr(passwdhash, ':'); /* find end */
+ if (p == NULL) {
+ /* no end: skip line */
+ libreswan_log("XAUTH: %s:%d missing connection name
field", pwdfile, lineno);
+ continue;
+ }
+
+ *p++ ='\0'; /* terminate string by overwriting : */
+
+ /* get connection name */
+ connectionname = p;
+ p = strchr(connectionname, ':'); /* find end */
if (p != NULL) {
- /* optional connectionname */
+ /* optional addresspool */
*p++ ='\0'; /* terminate password string by
overwriting : */
- connectionname = p;
+ addresspool = p;
}
/* If connectionname is null, it applies
* to all connections
*/
DBG(DBG_CONTROL,
- DBG_log("XAUTH: found user(%s/%s) pass(%s) connid(%s/%s)",
+ DBG_log("XAUTH: found user(%s/%s) pass(%s) connid(%s/%s)
addresspool(%s)",
userid, arg->name,
passwdhash,
- connectionname == NULL? "<any>" : connectionname,
arg->connname));
+ connectionname == NULL? "" : connectionname,
arg->connname,
+ addresspool == NULL? "" : addresspool));
if (streq(userid, arg->name) &&
(connectionname == NULL || streq(connectionname,
arg->connname)))
@@ -1285,8 +1301,38 @@
userid, connectionname);
}
- if (win)
+ if (win) {
+
+ if(addresspool != NULL) {
+ /* set user defined ip address or pool
*/
+ char *temp;
+ temp = strchr(addresspool, '-');
+ if (temp == NULL ) {
+
+ ttoaddr(addresspool, 0,
AF_INET, &c->spd.that.client.addr);
+ if ((c->pool != NULL)) {
+ DBG(DBG_CONTROLMORE,
+ DBG_log("free
addresspool entry for the conn %s ",
+ c->name));
+
unreference_addresspool(c);
+ }
+ } else {
+
+ pool_range =
alloc_thing(ip_range, "pool_range");
+
+ if(pool_range != NULL){
+
+ ttorange(addresspool,
0, AF_INET, pool_range, TRUE);
+
if(pool_range->start.u.v4.sin_addr.s_addr){
+ c->pool =
install_addresspool(pool_range);
+ }
+ pfree(pool_range);
+ }
+ }
+ }
+
break;
+ }
libreswan_log("XAUTH: nope");
}
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
