Hi list, I would like some input from people who understand the code-base on the following ...
My situation is: I have IOS devices (IKEv1) connecting to strongswan (5.0.2) using xauthrsasig. They are connecting using "VPN On Demand" . The CN field of the client certificate has a user/device identifier. I have some users I would like to eject from the system. I realize I can use CRLs but since they are using "VPN On Demand" my experience is that their device will just black-hole in an infinite reconnect loop and they will lose network access. This is a pretty nasty scenario to impose upon users especially as they may not realize why they have lost network access and waste a lot of time trouble-shooting it (particularly non-tecchy users). So ... I'd like to eject them from the system in a nicer way. My idea was to allow them to connect to the VPN but if they are on the black-list I would like to push them out a custom DNS server which will resolve everything to a webapp which tells them they have lost VPN access and instructions on how to proceed. This way they effectively lose VPN access but they understand why and the user experience is much less jarring. My questions are: * does this seem like a viable approach? * do you have any other/better suggestions I could use to accomplish the same thing? * if the approach seems viable, could you give me a few pointers on where I would find the code which pushes out the DNS servers so I can experiment with trying to patch it to do what i have outlined. * also, do you know of any plugin or patch which already does something like this? Any insights or suggestions would be greatly appreciated. Thanks. _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
