--- Quoting Daniel Eyholzer on 2005/08/24 at 08:33 +0200: > Yes, I have tried to filter on VPN client ip addresses on the enc0 > interface. This works, but the problem is that not all users should be > allowed to do the same things. Since the VPN client ip address can be > chosen arbitrary on the VPN client, the user can chose an ip address that > is allowed to do what he wants to do. Therefore it is not secured, the user > has just to know which ip address has full access, and he can access all he > wants on all vlans.
You definitely want to setup a policy then and to use x509 certs for client authentication. Create a policy that delegates to sub policies for each client. The "licensees" of each sub policy should match the distinguished name of the client's key. Specify the appropriate remote_filter/local_filter options in the policy as well. Obviously this doesn't scale so well for large numbers of users. Check out the isakmpd.policy(5) man page for all the details. .joel
