Hi, The proper solution is to use either ... 1) attribute certificates that certifify group membership for the client 2) Use a AAA service (RADIUS!) to get group memberships from the user directory
Then use rightgroups to switch conns based on the user's group membership. Kind regards Noel On 17.01.2018 16:14, Peter Benko wrote: > Hi all, > > I have a working strongswan IKEv2-EAP VPN setup, where remote (windows) > clients connect to a corporate LAN. > > Now I'd like to select certain 'restricted' users that are only able to > access a single IP address on the corporate network. My initial idea is to > use iptables rules for that on the VPN server. For this to work, I'd need a > separate client IP address range allocated for these 'restricted' users. How > can I do this? Is it possible to define a separate connection in ipsec.conf > based on e.g., server DNS name (e.g., vpn-resticted.domain.com instead of > vpn.domain.com)? In this 'restricted' connection, I could define a different > rightsourceip range, which I could use in the iptables rules... But how could > I prevent clients connecting to the unrestricted vpn.domain.com? > > Or am I completely wrong here? Is there maybe a more straightforward way to > achive my high level goal? > > Thanks, > > Peter > > >
signature.asc
Description: OpenPGP digital signature