Hi, > My idea was to allow them to connect to the VPN but if they are on the > black-list I would like to push them out a custom DNS server
This could be achieved by having a two connections specifying different DNS servers using the "rightdns" ipsec.conf option. And of course you'd have to limit the subnet negotiated, as the client could overwrite the DNS setting to circumvent your restrictions. With iOS and IKEv1, this could work with an appropriate rightsubnet and the unity plugin. The question is how you would black-list users and enforce a specific configuration. When using XAuth and a RADIUS backend, you could assign group membership in your AAA backend and enforce specific configurations using rightgroups. When using certificates this might be more difficult, as we currently don't support attribute certificates in charon. Alternatively, you could consider writing your own DNS attribute provider [1] in a plugin and select the correct server for each user based on your own criteria. Regards Martin [1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/attributes/attribute_provider.h _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
