[Openswan Users] X509 DN filtering
Paul Wouters
paul at xelerance.com
Wed Aug 25 01:27:20 CEST 2004
On Tue, 24 Aug 2004, Marc Spiegelman wrote:
> I am trying to figure out a solution so roadwarriors can only connect to their designated VPN concentrator but VPN concentrators can all connect to each other. I was wondering if there is a configuration in openswan so I can limit which certificates are allowed to connect. I was thinking the distinguished name could be used but I don't know if openswan is capable of this kind of filtering. If so, does anyone have any examples? Does anyone have any other ideas to meet my objective?
>From Andreas his X509 documentation:
The IPsec policy defined above can now be enforced with the following three
IPsec security associations:
conn sales
right=%any
rightid="C=CH, O=ACME, OU=Sales, CN=*"
rightsubnetwithin=10.1.0.0/24 # Sales DHCP range
leftsubnet=10.0.0.0/24 # Sales subnet
conn research
right=%any
rightid="C=CH, O=ACME, OU=Research, CN=*"
rightsubnetwithin=10.1.1.0/24 # Research DHCP range
leftsubnet=10.0.1.0/24 # Research subnet
conn web
right=%any
rightid="C=CH, O=ACME, OU=*, CN=*"
rightsubnetwithin=10.1.0.0/23 # Remote access DHCP range
leftsubnet=10.0.2.100/32 # Web server
rightprotoport=tcp # TCP protocol only
leftprotoport=tcp/http # TCP port 80 only
Paul
More information about the Users
mailing list