Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] firewall rules depending on roadwarrior cert

From: Andreas Steffen (andreas.steffen_at_zhwin.ch)
Date: Tue Apr 09 2002 - 15:44:36 CEST

Next message: Wiktor Wodecki: "Re: [Users] firewall rules depending on roadwarrior cert"
Previous message: Andreas Steffen: "Re: [Users] Protocal problem freeswan <-> Win2K"
In reply to: Wiktor Wodecki: "[Users] firewall rules depending on roadwarrior cert"
Next in thread: Wiktor Wodecki: "Re: [Users] firewall rules depending on roadwarrior cert"
Reply: Wiktor Wodecki: "Re: [Users] firewall rules depending on roadwarrior cert"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Excerpt from the CHANGES file for the X.509 patch to be found at

http://www.strongsec.com/freeswan/

--------------------------------------------------------------------

Version 0.9.9
-------------

  - Created the environment variables $PLUTO_MY_ID and $PLUTO_PEER_ID
    which can be accessed in the updown script. Use in ID based
    firewalling policies or for logging purposes.

--------------------------------------------------------------------

This is your solution. If you choose ID_ASN1_DER_DN as ID type then the
subject's identity contained in the peer certificate will be used.

Unfortunately I haven't worked X.509 support into the official man pages
yet. Therefore these additional environment variables are not explicitly
documented yet.

Regards

Andreas

Wiktor Wodecki wrote:
>
> Hello,
>
> I'm looking for a way to identify lot's of users in a firewall script
> without having to set up a conn block for each certificate. Therefore I
> hoped to find some unique identification string (the certificate id for
> example) which is passed to the firewall script on connection start up.
> This would allow me to define different permissions to different
> warriors depending on the certificate they use.
> As I read in the man page of pluto, there are a couple of environmental
> variables passed to the script, but not the one I'm looking for.
> Is there maybe any other way to avoid having tons on conn entries in
> ipsec.conf to granulate permissions?
>
> --
>
> Regards,
>
> Wiktor Wodecki <w.wodecki_at_manfred-dahlhoff.de>

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Wiktor Wodecki: "Re: [Users] firewall rules depending on roadwarrior cert"
Previous message: Andreas Steffen: "Re: [Users] Protocal problem freeswan <-> Win2K"
In reply to: Wiktor Wodecki: "[Users] firewall rules depending on roadwarrior cert"
Next in thread: Wiktor Wodecki: "Re: [Users] firewall rules depending on roadwarrior cert"
Reply: Wiktor Wodecki: "Re: [Users] firewall rules depending on roadwarrior cert"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:50 CEST