我是 strongswan 的新手,因此对于这个新手的疑问我深表歉意。我已经使用 strongswan 创建了 Debian 服务器。通过 Mikrotik LTE 路由器和 IKEv2-PSK 协议,此服务器连接了三个网络 network_1:192.168.10.0/24、network_2:192.168.20.0/24 和 network_3 192.168.30.0/24。除了这些网络之外,此服务器还可以通过 IKEv2 协议和 MSCHAP-EAP 身份验证连接 Windows、iOS、OSX 和 Android 客户端。一切运行正常,每个连接的客户端都可以访问这三个网络中的所有 IP。
目前,我想为 MSCHAP-EAP 客户端分配以下一些访问权限 - 例如:
客户端 Bob/密码 1 应该只能访问网络 2 中的 IP,而不能访问其他 IP。 客户端 Alice/密码 2 应该只能访问第二个网络中的 IP 地址范围 192.168.20.100 – 150,而不能访问其他 IP。 客户端 John/密码 3 应该只能访问 IP 地址范围 192.168.30.10 – 50 和 192.168.10.150 -200 以及 IP 地址 192.168.20.44
有人能帮我解决这个问题吗?最好能参考解决方案示例……
先感谢您
彼得
答案1
一种可能的方法是使用 EAP-RADIUS。radius 服务器可以返回班级可以与配置匹配的属性(正确的群体在 ipsec.conf 中,或者群组在 swanctl.conf 中)。然后,您可以为每个组定义不同的本地流量选择器。ikev2/rw-eap-md5-class-radiusstrongSwan 测试场景说明了这一点。
如果您不想或不能使用 EAP-RADIUS,有一种方法可以匹配单个 EAP 身份,但这有点棘手,因为 strongSwan 不完全支持基于此类身份的连接切换。为此,必须使用与虚假组的虚拟连接。它在 ipsec.conf 中的样子如下:
conn eap-shared
# options shared by all clients e.g.
leftcert=...
# or
rightsourceip=...
# or
rightauth=eap-mschapv2
conn eap-init
also=eap-shared
# this config is used to do the EAP-Identity exchange and the
# authentication of client and server
eap_identity=%identity
# the following is used to force a connection switch after
# the authentication completed
rightgroups=<any string that is not used as group/class>
auto=add
conn eap-bob
also=eap-shared
[email protected]
# any options that only apply to this user follow here e.g.
leftsubnet=192.168.20.0/24
auto=add
conn eap-alice
also=eap-shared
[email protected]
# any options that only apply to this user follow here e.g.
# (note that ipsec.conf does not support ranges, and most kernel
# interfaces do neither, so a range might be converted to a larger
# subnet when installing IPsec policies, so deaggregating the range
# is the most accurate way to do this currently)
leftsubnet=192.168.20.100/30,192.168.20.104/29,192.168.20.112/28,192.168.20.128/28,192.168.20.144/30,192.168.20.148/31,192.168.20.150/32
auto=add
conn eap-john
also=eap-shared
[email protected]
# any options that only apply to this user follow here e.g.
# (see above)
leftsubnet=192.168.30.10/31,192.168.30.12/30,192.168.30.16/28,192.168.30.32/28,192.168.30.48/31,192.168.30.50/32,192.168.10.150/31,192.168.10.152/29,192.168.10.160/27,192.168.10.192/29,192.168.10.200/32,192.168.20.44/32
auto=add
使用 EAP-RADIUS 时,配置看起来非常相似,但您不需要连接eap-init(而是添加到eap_identity=%identity)eap-shared,并且不是eap_identity在每个单独的连接中定义,而是设置rightgroups为应该使用该连接的组(即 EAP-RADIUS 类属性值)(即,这允许多个用户使用相同的 conn 部分)。
答案2
接受的答案对我们大部分都有效,只需稍作修改。我们使用
conn %default
# Settings for all conn to inherit
# But we included this in our settings:
auto=add
因此,上述接受的答案“conn eap-shared”继承了“auto=add”,这破坏了这一点。ipsec.conf 的默认“auto=”是“auto=ignore”,因此除非您已设置,否则将使用默认值。
一种解决方法是从“conn %default”中删除“auto=add”,然后它将成为默认值,另一种方法是将其更改为“auto=ignore”,但还有一种方法是将“conn eap-shared”更改为明确包含“auto=ignore”而不包含其他任何内容,从而继承所有“conn %default”设置。然后在“conn eap-init”中添加“auto=add”,之后的每个连接,在“also=eap-shared”中也添加一行“auto=add”
很少有人会需要这个,并且在“conn %default”中设置了“auto=add”,但如果您需要,我希望这对您有所帮助。
感谢@ecdsa(https://serverfault.com/users/95913/ecdsa) 您的回答;它对我来说很有用,无需运行 RADIUS 或其他服务,现在 Windows 用户可以保存他们的 VPN 密码。
复制粘贴您的解决方案并进行我们所做的更改:
conn %default
# All options shared on all connections, including
auto=add
conn eap-shared
# Because 'conn %default' has all settings shared between all conn, just:
auto=ignore
#And the rest is as-is, since the original already has 'auto=add' in each conn:
conn eap-init
also=eap-shared
# this config is used to do the EAP-Identity exchange and the
# authentication of client and server
eap_identity=%identity
# the following is used to force a connection switch after
# the authentication completed
rightgroups=<any string that is not used as group/class>
auto=add
conn eap-bob
also=eap-shared
[email protected]
# any options that only apply to this user follow here e.g.
leftsubnet=192.168.20.0/24
auto=add
conn eap-alice
also=eap-shared
[email protected]
# any options that only apply to this user follow here e.g.
# (note that ipsec.conf does not support ranges, and most kernel
# interfaces do neither, so a range might be converted to a larger
# subnet when installing IPsec policies, so deaggregating the range
# is the most accurate way to do this currently)
leftsubnet=192.168.20.100/30,192.168.20.104/29,192.168.20.112/28,192.168.20.128/28,192.168.20.144/30,192.168.20.148/31,192.168.20.150/32
auto=add
conn eap-john
also=eap-shared
[email protected]
# any options that only apply to this user follow here e.g.
# (see above)
leftsubnet=192.168.30.10/31,192.168.30.12/30,192.168.30.16/28,192.168.30.32/28,192.168.30.48/31,192.168.30.50/32,192.168.10.150/31,192.168.10.152/29,192.168.10.160/27,192.168.10.192/29,192.168.10.200/32,192.168.20.44/32
auto=add
再次感谢@ecdsa(https://serverfault.com/users/95913/ecdsa)