[Openswan Users] X509 DN filtering

Paul Wouters paul at xelerance.com
Wed Aug 25 01:27:20 CEST 2004


On Tue, 24 Aug 2004, Marc Spiegelman wrote:

> I am trying to figure out a solution so roadwarriors can only connect to their designated VPN concentrator but VPN concentrators can all connect to each other.  I was wondering if there is a configuration in openswan so I can limit which certificates are allowed to connect.  I was thinking the distinguished name could be used but I don't know if openswan is capable of this kind of filtering.  If so, does anyone have any examples?  Does anyone have any other ideas to meet my objective?

>From Andreas his X509 documentation:

The IPsec policy defined above can now be enforced with the following three
IPsec security associations:

     conn sales
          right=%any
          rightid="C=CH, O=ACME, OU=Sales, CN=*"
          rightsubnetwithin=10.1.0.0/24  # Sales DHCP range
          leftsubnet=10.0.0.0/24         # Sales subnet

    conn research
         right=%any
         rightid="C=CH, O=ACME, OU=Research, CN=*"
         rightsubnetwithin=10.1.1.0/24   # Research DHCP range
         leftsubnet=10.0.1.0/24          # Research subnet

    conn web
         right=%any
         rightid="C=CH, O=ACME, OU=*, CN=*"
         rightsubnetwithin=10.1.0.0/23   # Remote access DHCP range
         leftsubnet=10.0.2.100/32        # Web server
         rightprotoport=tcp              # TCP protocol only
         leftprotoport=tcp/http          # TCP port 80 only


Paul


More information about the Users mailing list