Thank you for answer.
Hmm strange...
Anyway I'm find how to achieve that:
Just create separate "conn" section for each certificate common names
i.e.
conn ikev2-1st-client
...
rightid="CN=client1"
rightaddresspool=192.168.43.5-192.168.43.5
conn ikev2-2nd-client
...
rightid="CN=client2"
rightaddresspool=192.168.43.6-192.168.43.6
And client was bind to ip based on they certificate =)
23.04.2020, 17:04, "Paul Wouters" <[email protected]>:
On Thu, 23 Apr 2020, None None wrote:
Please advice me,
how i can assign rightaddresspool (IP) for users based on his certificates(IKEv2)?
I.e.
i'm issue 2 certificate vpn.user1 and vpn.user2
and want that vpn.user1 always got x.x.x.32 ip
and vpn.user1 always got x.x.x.33 ip
Currently, that is not possible unfortunately.
Users are given back their old lease IP whenever we can, so it does
remain fairly static if your addresspool is big enough.
I agree it would be good to work on this as a feature.
If your deployment is very small, instead of one conn, you can have
one conn per user and set each with a separate rightsubnet=IPaddress/32
A fairly simple solution could be to write code for a new option in the
/etc/ipsec.secrets file (or a new file) that uses:
@userid :IP 1.2.3.4
But currently, we don't have that.
Paul
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
