I don't have many experience with ipsec, but I think it is possible to specify different accepted CA for each connection when using swanctl.conf.
" connections.<conn>.remote<suffix>.cacerts: Comma separated list of CA certificates to accept for authentication. The certificates may use a relative path from the swanctl x509ca directory or an absolute path. " So you should just generate cert with one CA for the first group, and an other CA for the second group. > Le 11 oct. 2018 à 16:34, bls s <bls3...@outlook.com> a écrit : > > In the general sense it’s secure, since the connection is validated by the > certs. However, in your particular use case, it does seem that a user could > change the Remote ID and access the other VPN subnet. I can’t think of a way > offhand to use a cert-based implementation to avoid that, other than using > two VPNs, one for each subnet group (with each VPN having a separate root CA > cert so no crossover is possible). > > Even if you went to an id/password-based mechanism, you’ll need some way to > distinguish the groups. A connection per user would get you there, but that > will dramatically increase management complexity, so two VPN servers might be > a more management-efficient approach. > > From: Matthieu Nantern <mailto:matthieu.nant...@margo.com> > Sent: Thursday, October 11, 2018 6:47 AM > To: bls3...@outlook.com <mailto:bls3...@outlook.com> > Cc: users@lists.strongswan.org <mailto:users@lists.strongswan.org> > Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients > > It's working but I'm wondering if it's really secure ? A user can just change > its Remote ID and gain access to the other networks, no ? > > I want something that is server side. I can create one connection for each > user but it's ugly ! > > Le lun. 8 oct. 2018 à 21:05, bls s <bls3...@outlook.com > <mailto:bls3...@outlook.com>> a écrit : > Definitely interested in seeing it replicated. As an aside, I updated my CA > management app https://github.com/gitbls/pistrong > <https://github.com/gitbls/pistrong> with more flexibility to generate this > type of VPN cert. Unfortunately, it’s fully built around swanctl/systemd, not > the legacy ipsec/ipsec.conf/… configuration. But, if you run into any issues, > happy to help you wrangle it into debug mode to use that part of the tool. > > From: Matthieu Nantern <mailto:matthieu.nant...@margo.com> > Sent: Sunday, October 7, 2018 11:23 PM > To: bls3...@outlook.com <mailto:bls3...@outlook.com> > Cc: users@lists.strongswan.org <mailto:users@lists.strongswan.org> > Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients > > Very good idea ! I will try that this week and will let you know if it works > ! > > Thank you ! > > Le dim. 7 oct. 2018 à 00:17, bls s <bls3...@outlook.com > <mailto:bls3...@outlook.com>> a écrit : > I just did a quick test using my iPhone, and it appears to work just fine. > Using 2 strongSwan profiles, each profile has a different VPN cert, with > different altNames in the cert. By changing the Remote ID on iOS I was able > to authenticate with each of the 2 profiles. > > > From: bls s <mailto:bls3...@outlook.com> > Sent: Friday, October 5, 2018 6:54 AM > To: Matthieu Nantern <mailto:matthieu.nant...@margo.com> > Cc: users@lists.strongswan.org <mailto:users@lists.strongswan.org> > Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients > > > I haven't looked into this in detail, but could you use different VPN certs > for each subnet? Each VPN cert would be in a different conn section, and they > would have different altNames (SAN). If I understand the MacOS VPN config > correctly (looks a lot like iOS), when certs are installed onto MacOS, you > can specify the Remote ID, which is the SAN that matches that of the VPN cert. > > From: Matthieu Nantern <matthieu.nant...@margo.com > <mailto:matthieu.nant...@margo.com>> > Sent: Thursday, October 4, 2018 11:31 PM > To: bls3...@outlook.com <mailto:bls3...@outlook.com> > Cc: users@lists.strongswan.org <mailto:users@lists.strongswan.org> > Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients > > We are using certificates (one for each client device) but I have 2 networks: > n1 and n2. And I want that some users can access n1 and others n1 + n2. > > > I wanted to make the distinction by using a conf like that: > > > conn alice > leftsubnet=10.1.0.10/32 <http://10.1.0.10/32> > right=%any > rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*" > auto=add > > conn venus > leftsubnet=10.1.0.20/32 <http://10.1.0.20/32> > right=%any > rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*" > auto=add > But unfortunately with MacOs client I don't have the Distinguished Names but > only the FQDN: > > > ikev2-pubkey[1216]: ESTABLISHED 2 minutes ago, 10.8.1.113[vpn.test.net > <http://vpn.test.net/>]...213.41.12.162[firstname.lastn...@test.com > <mailto:firstname.lastn...@test.com>] > ikev2-pubkey{2102}: INSTALLED, TUNNEL, reqid 325, ESP in UDP SPIs: > c4d64307_i 0c4df008_o > > > And if you compare that with the StrongSwan Android client: > > > ikev2-pubkey[1217]: ESTABLISHED 4 seconds ago, 10.8.1.113[vpn.test.net > <http://vpn.test.net/>]...213.41.12.162[C=FR, O=Test, OU=Prod, > CN=firstname.lastn...@test.com <mailto:firstname.lastn...@test.com>] > ikev2-pubkey{2103}: INSTALLED, TUNNEL, reqid 326, ESP in UDP SPIs: > c3b37b06_i be7247e0_o > > > So I cannot route my users according to their certificates and I was > wondering what can I do ? > > > > Le jeu. 4 oct. 2018 à 19:42, bls s <bls3...@outlook.com > <mailto:bls3...@outlook.com>> a écrit : > > Someone will likely explain why using certificates sucks, but if you use > certificates (one for each client device) you'll have fine-grained user > access control (by revoking/deleting certs), and you don't need to list all > the enabled certs anywhere in your config file. > From: Users <users-boun...@lists.strongswan.org > <mailto:users-boun...@lists.strongswan.org>> on behalf of Matthieu Nantern > <matthieu.nant...@margo.com <mailto:matthieu.nant...@margo.com>> > Sent: Thursday, October 4, 2018 8:41 AM > To: users@lists.strongswan.org <mailto:users@lists.strongswan.org> > Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients > > Is it possible to have multiple email address in the “rightid“ parameter ? > Maybe I can list all authorized users for each server instead of relying on > Distinguished Names ? > > > > Le mer. 3 oct. 2018 à 08:42, Matthieu Nantern <matthieu.nant...@margo.com > <mailto:matthieu.nant...@margo.com>> a écrit : > > Hi ! > > > I installed StrongSwan to allow my users (mainly MacOs X clients) to use the > native ikev2 authentication. Everything is working fine. > > > Now I would like to implement something like that : > https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html > <https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html> ; > allowing some clients to access some network and not the others. > > > Unfortunately I didn't see (or understand) the issue on that page > (https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile > <https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile>) : > > > ASN.1 Distinguished Names can't be used as identities because the client > currently sends them as identities of type FQDN. > > > As a result when I put rightid in my configuration it's not working because > MacOsX is only sending a fqdn (an email address in my case) and not the > Distinguished Name. > > > > My question is how can allow (or deny) some network to some user? > > > > I have a file that associates email address to "role" but I don't know how to > use it. Maybe a plugin? > > > Any ideas/links? > > > Thank you! > > -- > > Matthieu Nantern > > > -- > > Matthieu Nantern > SRE, Margo Bank > +33683148506 > > > -- > > Matthieu Nantern > SRE, Margo Bank > +33683148506 > > > -- > Matthieu Nantern > SRE, Margo Bank > +33683148506 > > > -- > Matthieu Nantern > SRE, Margo Bank > +33683148506
