On Fri, 28 Jan 2022 00:41:19 +0100 Jan Koriťák <[email protected]> wrote:
> Hello, > > I was trying to have two different address pools for clients based on > info in certificate DN. > > I did this by configuring two basically identical connections, just > with different rightaddresspool and rightid. > > conn ikev2-cp-static > rightid="CN=static,O=IKEv2 VPN" > > conn ikev2-cp-others > rightid="CN=vpnclient,O=IKEv2 VPN" For others you want rightid=%fromcert so it matches all valid certificates. Or rightid="CN=*,O=IKEv2 VPN" > This however didn't do what I wanted, because no matter which cert I > have used on the client, the "ikev2-cp-static" connection was always > matched on the server (and subsequently failed on certificate auth in > case I used the cert with CN=vpnclient). Note: ALL fields in certificate subject must be present in configuration for it to match at all. So if you have rightid="CN=*,O=IKEv2 VPN" and certificate has "CN=testclient" this can't match. Or other way around if certificate has more fields it doesn't match either. Also note you need one certificate per road warrior. So same certificate can't be used on multiple road warriors (some call these clients but in IPsec terminology is different). -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
