Roadwarrior config with IKEv2 and different user groups

robort · September 17, 2018, 6:18pm

Hey,

i want to migrate an standalone strongswan to vyos 1.2 rolling relaese. First as a test, maybe later in production.

I build a roadwarrior config for Apple iOS via IPSec an IKEv2 for per App VPN
If user1@001.domain.tld is login with his certificat, he get an address from the 10.215.1.0/24 pool.
If user2@002.domain.tld is login with his certificat, he get an address from the 10.215.2.0/24 pool.

So different usergroups get different Firewallrules.

Is there an elagant way to build that in the actuall vyos config?

my strongswan config:

conn ikev2-cert-template
 leftcert=server.crt
 leftid="server.domain.tld"
 auto=add
 keyexchange=ikev2
 left=%any
 leftid=@server.domain.tld
 leftsendcert=always
 leftsubnet=0.0.0.0/0
 leftauth=pubkey
 right=%any
 rightauth=eap-tls
 rightdns=10.166.253.11
 rightca="DC=tld DC=domain, CN=pki"
 eap_identity=%identity
 esp=aes256-sha256,aes256-sha1,3des-sha1!
 auto=ignore 

conn ikev2-vpn-10.215.1.0
 also=ikev2-cert-template
 rightid="*@001.domain.tld"
 rightsourceip=10.215.1.0/24
 auto=start 

conn ikev2-vpn-10.215.2.0
 also=ikev2-cert-template
 rightid="*@002.domain.tld"
 rightsourceip=10.215.2.0/24
 auto=start

syncer · September 17, 2018, 8:09pm

not sure, but would be interested to find a way

hagbard · September 18, 2018, 4:59pm

Should be possible, since you can execute code if a tunnel has been established (each phase creates an event - updown Plugin :: strongSwan Documentation).
So updown scripts would be the way to if you do it manually.
For vyos, as far as I see in the code, it would have to be implemented first to do that via cli.