Project

General

Profile

Bug #10296

swanctl.conf may need multiple pools to support IPv4 and IPv6

Added by Michael Smith 8 months ago. Updated 8 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
02/26/2020
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:

Description

In 2.5.0-DEVELOPMENT after IPsec swanctl conversion, it looks like the mobile-pool may need to be split now to support both IPv4 and IPv6.

From https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf#pools-section

pools.<name>.addrs
Subnet or range defining addresses allocated in pool. Accepts a single CIDR subnet defining the pool to allocate addresses from or an address range (<from>-<to>). Pools must be unique and non-overlapping.

Configuring 192.168.4.0/24 and 2604:2000:2941:4604::/120 results in the following in /var/etc/ipsec/swanctl.conf

pools {
        mobile-pool {
                addrs = 192.168.4.0/24,2604:2000:2941:4604::/120
                dns = 192.168.10.1
                subnet = 0.0.0.0/0,::/0
                split_include = 0.0.0.0/0,::/0
                # Search domain and default domain
                28674 = "nyc.example.com" 
                28675 = "nyc.example.com" 
        }
}


But it appears that only the first (IPv4) addresses are used in the pool.
$ swanctl --list-pools
mobile-pool          192.168.4.0                         0 / 0 / 254

Logs also show that no pool is found for IPv6:

09[IKE] <con-mobile|1> peer requested virtual IP %any
09[IKE] <con-mobile|1> assigning virtual IP 192.168.4.1 to peer 'msfone.nyc.example.com'
09[IKE] <con-mobile|1> peer requested virtual IP %any6
09[IKE] <con-mobile|1> no virtual IP found for %any6 requested by 'msfone.nyc.example.com'

If however, I temporarily change swanctl.conf to use two separate pools:

pools {
        mobile-pool-ipv4 {
                addrs = 192.168.4.0/24
                dns = 192.168.10.1
                subnet = 0.0.0.0/0
                split_include = 0.0.0.0/0
                # Search domain and default domain
                28674 = "nyc.example.com" 
                28675 = "nyc.example.com" 
        }
        mobile-pool-ipv6 {
                addrs = 2604:2000:2941:4604::/120
                subnet = ::/0
                split_include = ::/0
        }
}

then it appears that pools are created for both:

$ swanctl --list-pools
mobile-pool-ipv4     192.168.4.0                         0 / 0 / 254
mobile-pool-ipv6     2604:2000:2941:4604::               0 / 0 / 254

I'm able to work around by switching from EAP-TLS to EAP-RADIUS and adding an Additional RADIUS Attributes (REPLY-ITEM) for the user:

Framed-IPv6-Address = 2604:2000:2941:4604::55

and logs show working as expected:

14[IKE] <con-mobile|6> peer requested virtual IP %any
14[IKE] <con-mobile|6> assigning virtual IP 192.168.4.55 to peer 'msfone.nyc.example.com'
14[IKE] <con-mobile|6> peer requested virtual IP %any6
14[IKE] <con-mobile|6> assigning virtual IP 2604:2000:2941:4604::55 to peer 'msfone.nyc.example.com'

Associated revisions

Revision 407a5c28 (diff)
Added by Jim Pingle 8 months ago

For mobile IPsec pools, use separate pool for v4 and v6. Fixes #10296

Revision faf07413 (diff)
Added by Jim Pingle 8 months ago

Fix IPsec mobile user and pool references. Fixes #10296 Fixes #10314

History

#1 Updated by Jim Pingle 8 months ago

  • Assignee set to Jim Pingle

#2 Updated by Viktor Gurov 8 months ago

In this case we also need to expand the 'Accomodate both RADIUS and pool IP addresses in IPsec.' feature to select which IP protocol pool to override
see https://redmine.pfsense.org/issues/8160

#3 Updated by Jim Pingle 8 months ago

  • Status changed from New to In Progress
  • Target version set to 2.5.0

I think I have a somewhat easy way around this. Commit coming momentarily.

#4 Updated by Jim Pingle 8 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100

#5 Updated by Jim Pingle 8 months ago

  • % Done changed from 100 to 0

I have the common parameters in mobile-pool now and then separate v4 and v6 pools which use that as a template with the specific addresses used. I haven't tried a mobile connection yet, but it loads and looks sane. It's a similar style to how the per-user settings are setup and those have worked for others.

We could maybe also separate the DNS and other parameters in the same way but there may be some use case for sending them as-is I haven't thought of yet.

#6 Updated by Jim Pingle 8 months ago

  • % Done changed from 0 to 100

#7 Updated by Michael Smith 8 months ago

The mobile-pool-v4 and mobile-pool-v6 pools are created as expected.

But seems that "addrs" is required for each pool, so the mobile-pool is not created (or referenced in connections).

Before changes (works):

07[NET] received packet: from 166.171.185.3[59238] to 66.108.230.26[500] (272 bytes)
07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
07[IKE] 166.171.185.3 is initiating an IKE_SA
07[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384

After changes (fails):

10[NET] received packet: from 166.171.185.3[59238] to 66.108.230.26[500] (272 bytes)
10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
10[IKE] no IKE config found for 66.108.230.26...166.171.185.3, sending NO_PROPOSAL_CHOSEN
10[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

Maybe the commons attrs should be included in the v4 pool or both for now?

#8 Updated by Viktor Gurov 8 months ago

Maybe the commons attrs should be included in the v4 pool or both for now?

This is true, although not mentioned in strongswan docs

This PR adds common attrs to each pool
+ description fix for vpn_ipsec_mobile.php, because RADIUS IP address priority applies to both ipv4 and ipv6:
https://github.com/pfsense/pfsense/pull/4210

#9 Updated by Jim Pingle 8 months ago

  • Status changed from Feedback to In Progress

#10 Updated by Jim Pingle 8 months ago

See also: #10314

#11 Updated by Jim Pingle 8 months ago

  • Status changed from In Progress to Feedback

#12 Updated by Viktor Gurov 8 months ago

  • Status changed from Feedback to Resolved

tested on 2.5.0.a.20200305.2255
works ok now,- mobile-pools inherits attributes

Also available in: Atom PDF