I am beginner with strongswan so I apologize for this beginner’s query. I have created Debian server with strongswan. To this server are connected three networks
network_1: 192.168.10.0/24, network_2: 192.168.20.0/24 and network_3 192.168.30.0/24 via Mikrotik LTE routers and IKEv2-PSK protocol. Together with these network to this server can be connected windows, iOS, OSX and Android clients via IKEv2 protocol and MSCHAP-EAP authentication. All is working without problems and for every connected client are accessible all IPs in all these three networks.
At this moment I would like assign some of the following access rights for MSCHAP-EAP clients – for example:
Client Bob/password1 should be able to access only IPs in network2 and no other IPs
Client Alice/password2 should be able to access only IP address range 192.168.20.100 – 150 in second network and no other IPs
Client John/password3 should be able to acces only IP address ranges 192.168.30.10 – 50 and 192.168.10.150 -200 and IP address 192.168.20.44
Could anybody be so kind and help me solve it? Ideally with reference to any example of solution…
Thank you in advance
Petr
Best Answer
A possible way to do this is using EAP-RADIUS. The radius server can return Class attributes that can be matched against configs (rightgroups in ipsec.conf, or groups in swanctl.conf). Then you can define different local traffic selectors for each of these groups. The ikev2/rw-eap-md5-class-radius strongSwan test scenario illustrates this.
If you don't want to or can't use EAP-RADIUS there is a way to match individual EAP identities but it's a bit tricky because strongSwan does not fully support connection switching based on such identities. To do this a dummy connection with a fake group has to be used. This is how it could look like in ipsec.conf:
With EAP-RADIUS the config would look quite similarly but you wouldn't need the
eap-init
connection (instead you'd addeap_identity=%identity
toeap-shared
) and instead of definingeap_identity
in each individual connection you'd setrightgroups
to the groups (i.e. EAP-RADIUS Class attribute values) for which that connection should be used (i.e. this allows using the same conn section for multiple users).