Hi all,

I have a working strongswan IKEv2-EAP VPN setup, where remote (windows) clients 
connect to a corporate LAN.

Now I'd like to select certain 'restricted' users that are only able to access 
a single IP address on the corporate network. My initial idea is to use 
iptables rules for that on the VPN server. For this to work, I'd need a 
separate client IP address range allocated for these 'restricted' users. How 
can I do this? Is it possible to define a separate connection in ipsec.conf 
based on e.g., server DNS name (e.g., vpn-resticted.domain.com instead of 
vpn.domain.com)? In this 'restricted' connection, I could define a different 
rightsourceip range, which I could use in the iptables rules... But how could I 
prevent clients connecting to the unrestricted vpn.domain.com?

Or am I completely wrong here? Is there maybe a more straightforward way to 
achive my high level goal?

Thanks,

Peter



Reply via email to