> > > >> I am using this libreswan setup[1] > >> > >> I was wondering what would be the best practice to assign the same ip > >> (from the rightaddresspool) to a client using a specific certificate. > >> Maybe based on this rightid=%fromcert? > > > > It's on our TODO list, see > > https://github.com/libreswan/libreswan/issues/473 > > > > Paul > > _______________________________________________ > > Swan mailing list > > [email protected] > > https://lists.libreswan.org/mailman/listinfo/swan > > > > Isn't that already possible if you use the same configuration for every > client and change only rightid and rightadresspool like: > > conn client1 > ... > rightid=client1 > rightadresspool=10.10.20.1-10.10.20.1 > > conn client2 > ... > rightid=client2 > rightadresspool=10.10.20.2-10.10.20.2 > > Wolfgang
conn eap-shared type=tunnel ike=aes128-sha1-modp1024 rightauth=eap-mschapv2 leftcert=server-cert.pem conn eap-init also=eap-shared # this config is used to do the EAP-Identity exchange and the # authentication of client and server eap_identity=%identity # the following is used to force a connection switch after # the authentication completed rightgroups=thisseemsirrelevant auto=add conn eap-liv also=eap-shared eap_identity=*@liv-some-domain.com rightsourceip=10.200.0.0/16-10.200.254.254/16 auto=add conn eap-dev also=eap-shared eap_identity=*@dev-some-domain.com rightsourceip=10.100.0.0/16-10.100.254.254/16 auto=add https://serverfault.com/questions/1097369/strongswan-ipsec-multiple-roadwarrior-connections-different-subnets _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
