Project

General

Profile

Issue #2719

Windows - Different peer configs per identity

Added by karan kapoor about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.3.5
Resolution:
No change required

Description

I am setting up StrongSwan VPN Servers for Windows users and want to use different rightsourceip for each of the users.

With ubuntu, I am able to achieve this, since the peer config chosen when connecting with ubuntu is based on the identity (the peer configs are named same as identity).
"looking for peer configs matching 172.30.1.4[%any]...14.xxx.xxx.xxx[testuser]"

However, with windows, I always get an error in the logs, stating:
"looking for peer configs matching 172.30.1.4[%any]...14.xxx.xxx.xxx[local-ip-address-of-client]"
"no matching peer config found"

I came across this issue "https://wiki.strongswan.org/issues/735" which has the following comment

Not sure about BlackBerries, but Windows actually does not send any sane IKE identity; it uses the local IP address. That makes configuration matching impossible. Unfortunately, we currently don't support configuration matching based on EAP identities.

The server logs (when windows client connects) and the comment above are completely in-sync, since I see the private IP address of the client's machine.

Since this comment dates back 4 years, so was just wondering if this issue has been resolved and it is possible to use peer configs similar to identity. If not, please let me know if there is a way to achieve this.


Related issues

Related to Feature #1057: conn switching based on eap identityNew06.08.2015
Related to Issue #2916: more specific conn (rightid) not selectedClosed

History

#1 Updated by Tobias Brunner about 3 years ago

  • Category set to configuration
  • Status changed from New to Feedback
  • Priority changed from High to Normal

I am setting up StrongSwan VPN Servers for Windows users and want to use different rightsourceip for each of the users.

I guess the point is that you want to assign a "specific" address to each client and not just a "different" one, because each client (with a different identity) will obviously get a different virtual IP, even if they are assigned from a subnet- or range-based IP pool configured in a shared rightsourceip setting. So if you simply want to assign virtual IPs based on identities, then do just that by using either the attr-sql, dhcp or eap-radius backend (see VirtualIP for more).

Since this comment dates back 4 years, so was just wondering if this issue has been resolved

Clearly not, as Windows does still the same. If you were referring to the peer config switching based on EAP identities, that's kinda possible (even without EAP-RADIUS) with a little hack using the rightgroups option (I gave an example in this answer on serverfault.com).

#2 Updated by karan kapoor about 3 years ago

Got it working using the example mentioned on serverfault.com

Thanks Tobias for sharing.

#3 Updated by Tobias Brunner about 3 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

#4 Updated by Tobias Brunner about 3 years ago

  • Related to Feature #1057: conn switching based on eap identity added

#5 Updated by Tobias Brunner over 2 years ago

  • Related to Issue #2916: more specific conn (rightid) not selected added

Also available in: Atom PDF