Community discussions

MikroTik App
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

ipsec multiple users

Wed Sep 08, 2021 1:02 am

HI everyone,

I am using certificates to authenticate users: they belong to the same pool, same porfiles, peer etc

/ip ipsec mode-config
add address-pool=pool_ikev2_vpn name=IKEv2-cfg
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add dh-group=modp3072,modp2048,modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=IKEv2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=vpn_server generate-policy=port-strict mode-config=IKEv2-cfg peer=IKEv2-peer \
policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.88.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=0.0.0.0/0 template=yes



users will get an ip lease from 10.88.0.0/24 VPn pool and have access to my local networks 10.10.0.0 /24 and 10.20.0.0 /24

I have created an additional user (a certificate for her) and would like to restrict access to 10.20.0.0 /24 network only

I just could figure out how can i differentiate that user in the ip sec config so she can only access 10.20.0.0 /24, do I need an additional vpn pool, what else is requered?

thanks a lot
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: ipsec multiple users  [SOLVED]

Wed Sep 08, 2021 9:00 am

You need a dedicated identity for that user, referring to their individual certificate as remote-certificate, with match-by set to certificate and mode-config set to a mode-config row dedicated for that user, which in turn refers to a dedicated pool (or an individual IP address). Because, as you've already found out, the only attribute of a user you can make the firewall rules refer to is that user's IP address, which is assigned by means of mode-config.

Instead of using firewall rules to control where that user can get, you can also set a dedicated split-include list on that mode-config row, but depending on what operating system that user's IPsec stack is running, it may not be secure enough - with a Windows initiator, the policy is always negotiated with 0.0.0.0/0 at Mikrotik side, and the split-include list is translated into a list of routes delivered to the client via DHCPINFORM, so the user can manually add other routes and the policy will accept such traffic.
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: ipsec multiple users

Wed Sep 08, 2021 4:11 pm

You need a dedicated identity for that user, referring to their individual certificate as remote-certificate, with match-by set to certificate and mode-config set to a mode-config row dedicated for that user, which in turn refers to a dedicated pool (or an individual IP address). Because, as you've already found out, the only attribute of a user you can make the firewall rules refer to is that user's IP address, which is assigned by means of mode-config.

Instead of using firewall rules to control where that user can get, you can also set a dedicated split-include list on that mode-config row, but depending on what operating system that user's IPsec stack is running, it may not be secure enough - with a Windows initiator, the policy is always negotiated with 0.0.0.0/0 at Mikrotik side, and the split-include list is translated into a list of routes delivered to the client via DHCPINFORM, so the user can manually add other routes and the policy will accept such traffic.
Thank you Sindy

Who is online

Users browsing this forum: joshnielsen, phascogale and 62 guests