Uli, Thank you for the response.
I think this certainly would work to achieve what I need but I don't think it would Scale well.... If we say had 3 backend subnets, there are 7 IP address pools that potentially need firewalling... I am looking at the potential of having 10+ backends. I wonder if there are any more scalable options? Regards, Andy Paton Business Development Solution Architect HP Enterprise Services From: Ulrich Schinz [mailto:ulrich.sch...@ksfh.de] Sent: 05 June 2013 10:20 To: Paton, Andy; users@lists.strongswan.org Subject: Re: [strongSwan] Certificate Based Routing Hey Andy, maybe this helps a bit. I tried something similar, I tried to establish a "group"-system based on my certificates. So here my server-config: conn group1 left=192.168.0.200 leftcert=vpnserver.crt leftsubnet=192.168.5.0/24 leftid=vpnserver.of.our.company.fqdn leftfirewall=yes right=%any rightid="DC=de, DC=company, O=Companyname, OU=group1 certificate, CN=*" rightsourceip=10.0.50.0/24 auto=add conn group2 left=192.168.0.200 leftcert=vpnserver.crt leftsubnet=192.168.5.0/24,192.168.3.0/24 leftid=vpnserver.of.our.company.fqdn leftfirewall=yes right=%any rightid="DC=de, DC=company, O=Companyname, OU=group2 certificate, CN=*" rightsourceip=10.0.0.0/24 auto=add So now generating different certificates with right ids should bring you in the correct subnet. Further, by chosing a rightsourceip you can configure your firewall to accept connections to some hosts depending on senders address. In config I have different rightsourceips defined... Your firewallsettings can be edited or configured. The defaut script for that is tha updown-script of strongswan. On debian wheezy I could find it in /usr/libexec/ipsec/_updown Hope this helps. Kind regards Uli Am 05.06.2013 10:36, schrieb Paton, Andy: I am trying to design a unified VPN gateway - by unified i mean one VPN headend, which can handle connections to multiple backends. I have a VM with a number of NiC's attached: eth0 - Front Facing IP of Headend 10.1.0.2/30 eth1 - Backend Resource grouup A 172.18.81.137/24 eth2 - Backend Resource group B 162.18.81.137/24 So the intention is to configure the VPN connection to inspect a device/user certificate (x509) and route to the backend resource according to an ACL. So for example - Joe Bloggs is permitted to access resources on both backend A & B. Mickey Mouse is permitted to access only resources on backend B. Joe Bloggs establishes VPN connection to the headend, and attempts to connect to a resource: 172.17.81.142 for example, on resource group A. Based on the Joe's certificate he should be routed accordingly for this request. If Mickey mouse attempts to access the same resource, because the certificate doesn't permit access - then Strongswan should block access to this IP address. How might i go about configuring strongswan to do this? Current config looks like this - for dropping resources onto a single subnet: # /etc/ipsec.conf - strongSwan IPsec configuration file config setup crlcheckinterval=180 strictcrlpolicy=no plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 ike=aes256-sha256-modp1024! esp=aes256-sha256-modp1024! conn rw #left=10.1.0.2 leftcert=supermanCert.der leftid="CN=EN, O=JusticeLeague, CN=Metropolis" leftsubnet=172.17.81.137/27 leftfirewall=yes right=%any rightsourceip=10.3.100.0/24 rightid=%any keyexchange=ikev2 auto=add Andy Paton Business Development Solution Architect HP Enterprise Services _______________________________________________ Users mailing list Users@lists.strongswan.org<mailto:Users@lists.strongswan.org> https://lists.strongswan.org/mailman/listinfo/users -- Ulrich Schinz ulrich.sch...@ksfh.de<mailto:ulrich.sch...@ksfh.de> ___________________________________________ Katholische Stiftungsfachhochschule München Abteilung Benediktbeuern Don Bosco Str. 1 83671 Benediktbeuern Telefon +49 8857 88 506 www.ksfh.de<http://www.ksfh.de> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users