Feature #693

Time policy for roadwarrior

Added by Rolf Bauer over 7 years ago. Updated over 7 years ago.

Start date:
Due date:
Estimated time:


Hello Forum,
we use strongswan for a few years with ikev2 and dhcp with mysql-plugin.
Works fine and very reliable for about 100 roadwarriors.

Now we have a new requirement for a few users:
for some of them we need a login time policy, so that they only can connect on working hours.
My idea was to create a seperate connection for each of these clients in ipsec.conf. But I can not find any options for login-times in your documentation.
So is this possible (ipsec.conf, plugin?), or do I have to build a workaround with separate iptables-timerestrictions?

Any idea would be very helpfull.

Please let me know, if you need more information.

With Kind regards,
R. Bauer


#1 Updated by Tobias Brunner over 7 years ago

  • Status changed from New to Feedback
  • Assignee set to Tobias Brunner

The easiest way to implement something like this is probably to write a custom plugin that implements the authorize hook of the listener_t interface (source:src/libcharon/bus/listeners/listener.h#L179). There you could use the user's identity and the current time to block them.

There is actually a plugin currently under review that allows external scripts to be called for that hook so you could do such checks in an external process.

But if you don't want such users to keep an established connection open beyond the defined end time you'd need to take additional measures, e.g. schedule delete_ike_sa_job_t jobs so such IKE_SAs would get terminated automatically after a while (e.g. when the login time ends). For this a custom plugin would be required anyway.

#2 Updated by Rolf Bauer over 7 years ago

Hi Tobias,
thank you for your quick answer.
I will have a look at the sources and what is possible with the custom plugin you mentioned.

Thanks a lot.

With Kind regards,
R. Bauer

#3 Updated by Martin Willi over 7 years ago

for some of them we need a login time policy, so that they only can connect on working hours.

As outlined by Tobias, strongSwan currently does not provide such a functionality, but it can be implemented with a plugin.

Alternatively, you may consider using an AAA backend over RADIUS, especially if you have a centralized user management anyway. Most authentication servers can enforce login times, on an Active Directory server this is rather trivial.


#4 Updated by Tobias Brunner over 7 years ago

  • Target version deleted (5.2.1)

Also available in: Atom PDF