I use strongswan ipsec as VPN gateway for mobile devices (Android). In StrongSwan config I've setup 2 connections (two different subnets 10.10.10.0/24, 10.10.20.0/24 with different routing policies) for 2 different groups of users.
And I don't understand (and can't find in manuals and forums) how to link user with connection. Where and how to setup a strict user>connection relation ?
Thank you!
My ipsec config:
cat /etc/ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn any2ex
auto=add
compress=yes
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=*.*.233.132 #I've masked server IP for this post. Certificate was issued for the ip address.
left=*.*.233.132
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
conn ex2loc
auto=add
compress=yes
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=*.*.233.132
leftid=*.*.233.132
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.20.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
I configure Android clients with this
https://docs.strongswan.org/strongswan-docs/5.9/os/androidVpnClientProfiles.html#_example
Best Answer
The connection choice is based on
rightidand depends on what is used as IKE identity by the client. If your users present RFC822_ADDR as identity, you can use some sort of a wildcard with * onrightidinstead of%anyto differentiate them.