Hi,
The proper solution is to use either ...
1) attribute certificates that certifify group membership for the client
2) Use a AAA service (RADIUS!) to get group memberships from the user directory
Then use rightgroups to switch conns based on the user's group membership.
Kind regards
Noel
On 17.01.2018 16:14, Peter Benko wrote:
> Hi all,
>
> I have a working strongswan IKEv2-EAP VPN setup, where remote (windows)
> clients connect to a corporate LAN.
>
> Now I'd like to select certain 'restricted' users that are only able to
> access a single IP address on the corporate network. My initial idea is to
> use iptables rules for that on the VPN server. For this to work, I'd need a
> separate client IP address range allocated for these 'restricted' users. How
> can I do this? Is it possible to define a separate connection in ipsec.conf
> based on e.g., server DNS name (e.g., vpn-resticted.domain.com instead of
> vpn.domain.com)? In this 'restricted' connection, I could define a different
> rightsourceip range, which I could use in the iptables rules... But how could
> I prevent clients connecting to the unrestricted vpn.domain.com?
>
> Or am I completely wrong here? Is there maybe a more straightforward way to
> achive my high level goal?
>
> Thanks,
>
> Peter
>
>
>
signature.asc
Description: OpenPGP digital signature