wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-03 10:33:13 +02:00
Code Issues Projects Releases Wiki Activity

Require only one connection per user

Browse source 
Fix an issue where strongswan clients required a separate "conn" section
by modifying the client strongswan config to send the client name as
leftid.
This commit is contained in:
Micah R Ledbetter 2018-02-11 22:59:29 -06:00
parent ff67f7e006
commit acc3fe4c95
2 changed files with 9 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
roles/vpn/templates/client_ipsec.conf.j2
View file

@ -21,6 +21,7 @@ conn ikev2-{{ IP_subject_alt_name }}
leftsourceip=%config leftsourceip=%config
leftauth=pubkey leftauth=pubkey
leftid={{ item }}
leftcert={{ item }}.crt leftcert={{ item }}.crt
leftfirewall=yes leftfirewall=yes
left=%defaultroute left=%defaultroute

31
roles/vpn/templates/ipsec.conf.j2
View file

@ -25,36 +25,19 @@ conn %default
leftsendcert=always leftsendcert=always
leftsubnet=0.0.0.0/0,::/0 leftsubnet=0.0.0.0/0,::/0
# Client configs right=%any
# example: https://www.strongswan.org/testing/testresults/ikev2/config-payload/, especially moon.ipsec.conf rightauth=pubkey
# NOTE: we specify each client config twice, identically except for the rightid parameter {% if local_dns is defined and local_dns == "Y" %}
# because some clients (e.g. strongswan) send the rightid as "/CN=$user" rightdns={{ local_service_ip }}
# while others (e.g. macOS) send the rightid as "$user" {% else %}
rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
{% endif %}
{% for user in users %} {% for user in users %}
conn AlgoUser-{{ user }} conn AlgoUser-{{ user }}
right=%any
rightid={{ user }} rightid={{ user }}
rightauth=pubkey
rightsourceip={{ vpn_network | ipaddr(loop.index) | ipaddr('address') }} rightsourceip={{ vpn_network | ipaddr(loop.index) | ipaddr('address') }}
{% if local_dns is defined and local_dns == "Y" %}
rightdns={{ local_service_ip }}
{% else %}
rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
{% endif %}
auto=add
conn AlgoUser-CN{{ user }}
right=%any
rightid="/CN={{ user }}"
rightauth=pubkey
rightsourceip={{ vpn_network | ipaddr(loop.index) | ipaddr('address') }}
{% if local_dns is defined and local_dns == "Y" %}
rightdns={{ local_service_ip }}
{% else %}
rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
{% endif %}
auto=add auto=add
{% endfor %} {% endfor %}