Bug #10296
closed
swanctl.conf may need multiple pools to support IPv4 and IPv6
100%
Description
In 2.5.0-DEVELOPMENT after IPsec swanctl conversion, it looks like the mobile-pool may need to be split now to support both IPv4 and IPv6.
From https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf#pools-section
pools.<name>.addrs
Subnet or range defining addresses allocated in pool. Accepts a single CIDR subnet defining the pool to allocate addresses from or an address range (<from>-<to>). Pools must be unique and non-overlapping.
Configuring 192.168.4.0/24 and 2604:2000:2941:4604::/120 results in the following in /var/etc/ipsec/swanctl.conf
pools {
mobile-pool {
addrs = 192.168.4.0/24,2604:2000:2941:4604::/120
dns = 192.168.10.1
subnet = 0.0.0.0/0,::/0
split_include = 0.0.0.0/0,::/0
# Search domain and default domain
28674 = "nyc.example.com"
28675 = "nyc.example.com"
}
}
But it appears that only the first (IPv4) addresses are used in the pool.
$ swanctl --list-pools mobile-pool 192.168.4.0 0 / 0 / 254
Logs also show that no pool is found for IPv6:
09[IKE] <con-mobile|1> peer requested virtual IP %any 09[IKE] <con-mobile|1> assigning virtual IP 192.168.4.1 to peer 'msfone.nyc.example.com' 09[IKE] <con-mobile|1> peer requested virtual IP %any6 09[IKE] <con-mobile|1> no virtual IP found for %any6 requested by 'msfone.nyc.example.com'
If however, I temporarily change swanctl.conf to use two separate pools:
pools {
mobile-pool-ipv4 {
addrs = 192.168.4.0/24
dns = 192.168.10.1
subnet = 0.0.0.0/0
split_include = 0.0.0.0/0
# Search domain and default domain
28674 = "nyc.example.com"
28675 = "nyc.example.com"
}
mobile-pool-ipv6 {
addrs = 2604:2000:2941:4604::/120
subnet = ::/0
split_include = ::/0
}
}
then it appears that pools are created for both:
$ swanctl --list-pools mobile-pool-ipv4 192.168.4.0 0 / 0 / 254 mobile-pool-ipv6 2604:2000:2941:4604:: 0 / 0 / 254
I'm able to work around by switching from EAP-TLS to EAP-RADIUS and adding an Additional RADIUS Attributes (REPLY-ITEM) for the user:
Framed-IPv6-Address = 2604:2000:2941:4604::55
and logs show working as expected:
14[IKE] <con-mobile|6> peer requested virtual IP %any 14[IKE] <con-mobile|6> assigning virtual IP 192.168.4.55 to peer 'msfone.nyc.example.com' 14[IKE] <con-mobile|6> peer requested virtual IP %any6 14[IKE] <con-mobile|6> assigning virtual IP 2604:2000:2941:4604::55 to peer 'msfone.nyc.example.com'
Updated by Viktor Gurov about 4 years ago
In this case we also need to expand the 'Accomodate both RADIUS and pool IP addresses in IPsec.' feature to select which IP protocol pool to override
see https://redmine.pfsense.org/issues/8160
Updated by Jim Pingle about 4 years ago
- Status changed from New to In Progress
- Target version set to 2.5.0
I think I have a somewhat easy way around this. Commit coming momentarily.
Updated by Jim Pingle about 4 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset 407a5c28093d46cb39cc1bba75740523a1ee97e6.
Updated by Jim Pingle about 4 years ago
- % Done changed from 100 to 0
I have the common parameters in mobile-pool now and then separate v4 and v6 pools which use that as a template with the specific addresses used. I haven't tried a mobile connection yet, but it loads and looks sane. It's a similar style to how the per-user settings are setup and those have worked for others.
We could maybe also separate the DNS and other parameters in the same way but there may be some use case for sending them as-is I haven't thought of yet.
Updated by Michael Smith about 4 years ago
The mobile-pool-v4 and mobile-pool-v6 pools are created as expected.
But seems that "addrs" is required for each pool, so the mobile-pool is not created (or referenced in connections).
Before changes (works):
07[NET] received packet: from 166.171.185.3[59238] to 66.108.230.26[500] (272 bytes) 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 07[IKE] 166.171.185.3 is initiating an IKE_SA 07[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
After changes (fails):
10[NET] received packet: from 166.171.185.3[59238] to 66.108.230.26[500] (272 bytes) 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 10[IKE] no IKE config found for 66.108.230.26...166.171.185.3, sending NO_PROPOSAL_CHOSEN 10[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Maybe the commons attrs should be included in the v4 pool or both for now?
Updated by Viktor Gurov about 4 years ago
Maybe the commons attrs should be included in the v4 pool or both for now?
This is true, although not mentioned in strongswan docs
This PR adds common attrs to each pool
+ description fix for vpn_ipsec_mobile.php, because RADIUS IP address priority applies to both ipv4 and ipv6:
https://github.com/pfsense/pfsense/pull/4210
Updated by Jim Pingle about 4 years ago
- Status changed from Feedback to In Progress
Updated by Jim Pingle about 4 years ago
- Status changed from In Progress to Feedback
Applied in changeset faf07413977457bc0aa3fccf64ff724e79d79da2.
Updated by Viktor Gurov about 4 years ago
- Status changed from Feedback to Resolved
tested on 2.5.0.a.20200305.2255
works ok now,- mobile-pools inherits attributes