Hi Dirk, did you have a look at the ipsec pool tool which allows to pre-assign static IP addresses to users by storing them in a small SQLite database:
http://wiki.strongswan.org/projects/strongswan/wiki/IpsecPool Interesting for you is a feature which allows ipsec pool to read file-based list and store the entries in the database ipsec pool --add <name> --addresses <file> [--timeout <timeout>] Add a list of pool addresses to the database. name: Name of the pool, as used in ipsec.conf rightsourceip=%name file: File where newline-separated pool addresses for are read from Optionally each address can be pre-assigned to a roadwarrior identity, e.g. [email protected]. If a '-' (hyphen) is given instead of a file name, the addresses are read from STDIN. Reading addresses stops at the end of file or an empty line. Pools created with this command can not be resized. timeout: Lease time in hours, 0 for static leases Best regards Andreas On 22.08.2012 10:09, Dirk Hartmann wrote: > Hi, > > I played with a config to connect Win7 clients with EAP-MSCHAPv2 auth: > <http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig> > > > works so far, but has the drawback that you can't assign a static IPs > to a special user. I tried to simply use two connections with: > > conn win7eap > right=%any > rightauth=eap-mschapv2 > rightsourceip=10.0.0.3 > rightsendcert=never > eap_identity=dhaeap > > conn win7auth > right=%any > rightauth=eap-mschapv2 > rightsourceip=10.10.2.3 > rightsendcert=never > eap_identity=dhaw7 > > But Strongswan always picks the first connection on every client > connecting via eap-mschapv2. So eap_identity doesn't work the way I > expected it to. > > Aug 22 09:37:36 purgatory01 charon: 09[CFG] candidate "win7eap", > match: 1/1/5/2 (me/other/ike/version) > Aug 22 09:37:36 purgatory01 charon: 09[CFG] candidate "win7auth", > match: 1/1/5/2 (me/other/ike/version) > Aug 22 09:37:36 purgatory01 charon: 09[CFG] selected peer config > 'win7eap' > > Is there an other way to assign static IPs to Win7 clients connecting > with eap-mschapv2 or is this only possible using client certificates? > > The thing is I would like to assign different networks to different > users depending on their department. > > Thanks and Regards > > Dirk ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
