HI everyone,
I am using certificates to authenticate users: they belong to the same pool, same porfiles, peer etc
/ip ipsec mode-config
add address-pool=pool_ikev2_vpn name=IKEv2-cfg
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add dh-group=modp3072,modp2048,modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=IKEv2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=vpn_server generate-policy=port-strict mode-config=IKEv2-cfg peer=IKEv2-peer \
policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.88.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=0.0.0.0/0 template=yes
users will get an ip lease from 10.88.0.0/24 VPn pool and have access to my local networks 10.10.0.0 /24 and 10.20.0.0 /24
I have created an additional user (a certificate for her) and would like to restrict access to 10.20.0.0 /24 network only
I just could figure out how can i differentiate that user in the ip sec config so she can only access 10.20.0.0 /24, do I need an additional vpn pool, what else is requered?
thanks a lot