[strongSwan] Multiple connections same virtual pool without sharing FIXED

2018-10-11 Thread Marwan Khalili
Hi! I am wondering if it is possible for multiple connections to have the same pool without being shared? E.g. client1 on conn1 and client2 on conn2 are both assigned 10.10.0.1. I read on the “Virtual IP” wiki page that multiple connections can share the same pool if they use the same rightsour

[strongSwan] Multiple connections same virtual pool without sharing

2018-10-11 Thread Marwan Khalili
Hi! I am wondering if it is possible for multiple connection to have the same pool without being shared? E.g. client1 on conn1 and client2 on conn2 are both assigned 10.10.0.1. I read on the “Virtual IP” wiki page that multiple connections can share the same pool if they use the same rightsource

Re: [strongSwan] Ikev2 wildcards with MacOs clients

2018-10-11 Thread bls s
Ah, good catch, Jean-Daniel. If that works, it would indeed address Matthieu’s concerns. From: Jean-Daniel Dupas Sent: Thursday, October 11, 2018 7:44 AM To: users@lists.strongswan.org Subject: Re: [strongSwan] Ikev2 wildcards with Mac

Re: [strongSwan] Ikev2 wildcards with MacOs clients

2018-10-11 Thread Jean-Daniel Dupas
I don't have many experience with ipsec, but I think it is possible to specify different accepted CA for each connection when using swanctl.conf. " connections..remote.cacerts: Comma separated list of CA certificates to accept for authentication. The certificates may use a relative path from th

Re: [strongSwan] Ikev2 wildcards with MacOs clients

2018-10-11 Thread bls s
In the general sense it’s secure, since the connection is validated by the certs. However, in your particular use case, it does seem that a user could change the Remote ID and access the other VPN subnet. I can’t think of a way offhand to use a cert-based implementation to avoid that, other than

Re: [strongSwan] Ikev2 wildcards with MacOs clients

2018-10-11 Thread Matthieu Nantern
It's working but I'm wondering if it's really secure ? A user can just change its Remote ID and gain access to the other networks, no ? I want something that is server side. I can create one connection for each user but it's ugly ! Le lun. 8 oct. 2018 à 21:05, bls s a écrit : > Definitely inter