Strongswan clients access rights

I am beginner with strongswan so I apologize for this beginner’s query. I have created Debian server with strongswan. To this server are connected three networks network_1: 192.168.10.0/24, network_2: 192.168.20.0/24 and network_3 192.168.30.0/24 via Mikrotik LTE routers and IKEv2-PSK protocol. Together with these network to this server can be connected windows, iOS, OSX and Android clients via IKEv2 protocol and MSCHAP-EAP authentication. All is working without problems and for every connected client are accessible all IPs in all these three networks.

At this moment I would like assign some of the following access rights for MSCHAP-EAP clients – for example:

Client Bob/password1 should be able to access only IPs in network2 and no other IPs Client Alice/password2 should be able to access only IP address range 192.168.20.100 – 150 in second network and no other IPs Client John/password3 should be able to acces only IP address ranges 192.168.30.10 – 50 and 192.168.10.150 -200 and IP address 192.168.20.44

Could anybody be so kind and help me solve it? Ideally with reference to any example of solution…

Thank you in advance

Petr

Solution 1:

A possible way to do this is using EAP-RADIUS. The radius server can return Class attributes that can be matched against configs (rightgroups in ipsec.conf, or groups in swanctl.conf). Then you can define different local traffic selectors for each of these groups. The ikev2/rw-eap-md5-class-radius strongSwan test scenario illustrates this.

If you don't want to or can't use EAP-RADIUS there is a way to match individual EAP identities but it's a bit tricky because strongSwan does not fully support connection switching based on such identities. To do this a dummy connection with a fake group has to be used. This is how it could look like in ipsec.conf:

conn eap-shared
   # options shared by all clients e.g.
   leftcert=...
   # or
   rightsourceip=...
   # or
   rightauth=eap-mschapv2

conn eap-init
   also=eap-shared
   # this config is used to do the EAP-Identity exchange and the
   # authentication of client and server
   eap_identity=%identity
   # the following is used to force a connection switch after
   # the authentication completed
   rightgroups=<any string that is not used as group/class>
   auto=add

conn eap-bob
   also=eap-shared
   [email protected]
   # any options that only apply to this user follow here e.g.
   leftsubnet=192.168.20.0/24
   auto=add

conn eap-alice
   also=eap-shared
   [email protected]
   # any options that only apply to this user follow here e.g.
   # (note that ipsec.conf does not support ranges, and most kernel
   #  interfaces do neither, so a range might be converted to a larger
   #  subnet when installing IPsec policies, so deaggregating the range
   #  is the most accurate way to do this currently)
   leftsubnet=192.168.20.100/30,192.168.20.104/29,192.168.20.112/28,192.168.20.128/28,192.168.20.144/30,192.168.20.148/31,192.168.20.150/32
   auto=add

conn eap-john
   also=eap-shared
   [email protected]
   # any options that only apply to this user follow here e.g.
   # (see above)
   leftsubnet=192.168.30.10/31,192.168.30.12/30,192.168.30.16/28,192.168.30.32/28,192.168.30.48/31,192.168.30.50/32,192.168.10.150/31,192.168.10.152/29,192.168.10.160/27,192.168.10.192/29,192.168.10.200/32,192.168.20.44/32
   auto=add

With EAP-RADIUS the config would look quite similarly but you wouldn't need the eap-init connection (instead you'd add eap_identity=%identity to eap-shared) and instead of defining eap_identity in each individual connection you'd set rightgroups to the groups (i.e. EAP-RADIUS Class attribute values) for which that connection should be used (i.e. this allows using the same conn section for multiple users).