[Openswan Users] Windows vpn clients

Jacco de Leeuw jacco2 at dds.nl
Sat Sep 10 13:35:32 CEST 2005


John A. Sullivan III wrote:

> To use L2TP as described, wouldn't I have to tie a pool of IP addresses
> (similar to the RADIUS approach someone else suggested) to any DN with
> those fields set and then do that on every gateway through which those
> users might enter the system?

PPP does not have access to the DN in the client's IPsec certificate.
But you could map users (and their DNs) to PPP user names.

Another alternative would be to use *another* certificate for second level
EAP authentication. Then you would have access to a DN etc. But this
complicates things at the client side.

>>Alternatively, you could use /etc/ppp/auth-up (man pppd) to dynamically
>>change the firewall rules for a particular user on interface pppXXX.
> 
> Can we tie the selection of PPP interface and thus the custom rules to a
> users DN?

Only indirectly: through the PPP user name mapping. I don't think you
can coerce pppd into assigning a specific PPP interface but the auth-up
script does provide the actual interface as a parameter.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
                     Mosquitos suck


More information about the Users mailing list