Hello, I was trying to have two different address pools for clients based on info in certificate DN.
I did this by configuring two basically identical connections, just with different rightaddresspool and rightid. conn ikev2-cp-static left=%eth0 leftcert=vpn.example.net <http://vpn.example.net/> [email protected] leftsendcert=always leftsubnet=10.0.0.0/8 leftrsasigkey=%cert right=%any rightid="CN=static,O=IKEv2 VPN" rightaddresspool=192.168.43.10-192.168.43.10 rightca=%same rightrsasigkey=%cert narrowing=yes dpddelay=30 dpdtimeout=120 dpdaction=clear auto=add ikev2=insist rekey=no pfs=no ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2 ikelifetime=24h salifetime=24h encapsulation=yes mobike=yes conn ikev2-cp-others left=%eth0 leftcert=vpn.example.net <http://vpn.example.net/> [email protected] leftsendcert=always leftsubnet=10.0.0.0/8 leftrsasigkey=%cert right=%any rightid="CN=vpnclient,O=IKEv2 VPN" rightaddresspool=192.168.43.11-192.168.43.250 rightca=%same rightrsasigkey=%cert narrowing=yes dpddelay=30 dpdtimeout=120 dpdaction=clear auto=add ikev2=insist rekey=no pfs=no ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2 ikelifetime=24h salifetime=24h encapsulation=yes mobike=yes This however didn't do what I wanted, because no matter which cert I have used on the client, the "ikev2-cp-static" connection was always matched on the server (and subsequently failed on certificate auth in case I used the cert with CN=vpnclient). Does it mean, only the left/right fields are used to match the connection first, and afterwards the id is just validated, without falling back to another matching connection? Is there some place I can read more about how exactly the matching works and also which connection takes precedence if more are matching? I was not able to find much info about this. My end goal was to have one client with static assigned ip (hence the small addresspool), while other clients have dynamic ips. I can't use "right" to distinguish them as they can be behind the same NAT. That's why I tried to use the cert fields. Would anyone have some tip on how else I could accomplish my goal? Thanks for help! Regards, Jan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
