From: John A. Sullivan III (john.sullivan_at_nexusmgmt.com)
Date: Mon Sep 02 2002 - 20:19:22 CEST
I've not done this yet but it is something I am working towards. I
believe the answer is yes and no. It would be easier if the x.509 patch
supported wild cards in the ID but I don't believe it does (at least in
the minimal testing I did, it did not appear to).
If it does support wildcards, you could create separate connection
definitions using DER_ASN.1_DN ID's and leave the CN=* and give each set
of road warriors certs with the other fields set to some consistent
value. Of course, if these are not sets of users but only three
individual users, then you could just use the full ID in the connection
definition.
I don't think you can do it with different CA certs in that I don't
believe the x.509 patch associates a CA cert with a particular
connection definition. I think it just looks at the cacerts directory as
one pool of possible certs.
I would if one could do it with IPTABLES. The x.509 patch will generate
an environment variable that contains the client ID an IP address.
Perhaps one could right an updown script that would parse those
variables for a particular field, e.g., the OU field, pull out the IP
address and set up an IPTABLES rule that allows access to that subnet
for that source address while the connection is up and deletes the rule
when the connection is torn down. Let me know how you fare as this is
exactly some of the work I see in front of me in the near future. Good
luck - John
Kai Korpi wrote:
> Hi all,
>
> I need help setting up freeswan with nat and x509. I have 3 kind of
> roadwarrior clients and each of them have to be able to access
> different remote subnetwork.
>
> rw1 needs access to 192.168.1.0/24
>
> rw2 needs access to 192.168.2.0/24
>
> rw3 needs access to 0.0.0.0/0 but not to 192.168.1.0/24
>
> The big question is can I somehow do this with certificates? Do I need
> to create 3 different CA certificates? If I can't use CA certificates
> is there better way to do this?
>
> I also need to use NAT patch. I have freeswan with 4 nics installed
> and if that helps?
>
> regards
>
> -Kai-
>
-- John A. Sullivan III Group Technology Director Nexus Management +1 207-985-7880 john.sullivan_at_nexusmgmt.com_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Mon Sep 02 2002 - 22:19:54 CEST