Project

General

Profile

Actions

Feature #10469

closed

Same RADIUS Cisco-AVPair parser code for both OpenVPN/IPsec

Added by Viktor Gurov over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
IPsec
Target version:
Start date:
04/17/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

Currently OpenVPN and IPsec uses two different but mostly identical files to parse RADIUS user attributes
openvpn.attributes.php and ipsec.attributes.php

cisco_to_cidr() and cisco_extract_index() are identical

OpenVPN parser is more improved:
openvpn.attributes.php has two functions for parsing rules - parse_cisco_acl() and parse_cisco_acl_rule(),
which supports IP/ICMP protocol options, port operators (https://redmine.pfsense.org/issues/9206)
and IPv6 ACL soon (https://redmine.pfsense.org/issues/10454)

It would be better to move these functions to vpn.inc to have one attributes parser code for both OpenVPN/IPsec

Actions #2

Updated by Jim Pingle about 4 years ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.0
Actions #3

Updated by Renato Botelho about 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #4

Updated by Anonymous about 4 years ago

  • Assignee changed from Renato Botelho to Viktor Gurov

Please confirm & resolve

Actions #5

Updated by Viktor Gurov about 4 years ago

  • Status changed from Feedback to Resolved

tested on 2.5.0.a.20201016.1850

FreeRADIUS ACLs:

Cisco-AVPair = "ip:outacl#1=permit udp host 4.4.4.4 host 7.7.7.7 range 3110 5000",
Cisco-AVPair += "ip:outacl#2=permit tcp any host 7.7.7.7 gt 333",
Cisco-AVPair += "ip:inacl#3=permit udp host 3.3.3.3 host 7.7.7.7 lt 566",
Cisco-AVPair += "ip:inacl#4=permit udp host 3.3.3.3 host 7.7.7.7 neq 899",
Cisco-AVPair += "ip:inacl#5=permit tcp host 2.2.2.2 host 5.5.5.5 eq 999",
Cisco-AVPair += "ip:inacl#6=permit icmp host 2.2.2.2 host 5.5.5.5",
Cisco-AVPair += "ipv6:outacl#1=permit udp host 2001:DB8::4444 host 2001:DB8::7777 range 3110 5000",
Cisco-AVPair += "ipv6:outacl#2=permit tcp any host 2001:DB8::7777 gt 333",
Cisco-AVPair += "ipv6:inacl#3=permit udp host 2001:DB8::3333 host 2001:DB8::7777 lt 566",
Cisco-AVPair += "ipv6:inacl#4=permit udp host 2001:DB8::3333 host 2001:DB8::7777 neq 899",
Cisco-AVPair += "ipv6:inacl#5=permit tcp host 2001:DB8::2222 host 2001:DB8::5555 eq 999",
Cisco-AVPair += "ipv6:inacl#6=deny udp 2001:DB8:1234::/64 2001:DB8:6789::/48",
Cisco-AVPair += "ipv6:inacl#7=deny icmp 2001:DB8:1234::/64 2001:DB8:9999::/56" 

Created OpenVPN rules:

# pfctl -a openvpn/ovpns1_radiususer1_22146 -sr
pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port < 566 no state
pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port != 899 no state
pass in quick on ovpns1 inet proto tcp from 2.2.2.2 to 5.5.5.5 port = garcon no state
pass in quick on ovpns1 inet proto icmp from 2.2.2.2 to 5.5.5.5 no state
pass in quick on ovpns1 inet6 proto udp from 2001:db8::3333 to 2001:db8::7777 port < 566 no state
pass in quick on ovpns1 inet6 proto udp from 2001:db8::3333 to 2001:db8::7777 port != 899 no state
pass in quick on ovpns1 inet6 proto tcp from 2001:db8::2222 to 2001:db8::5555 port = garcon no state
pass out quick on ovpns1 inet proto udp from 4.4.4.4 to 7.7.7.7 port 3109 >< 5001 no state
pass out quick on ovpns1 inet proto tcp from any to 7.7.7.7 port > 333 no state
block drop in quick on ovpns1 inet6 proto udp from 2001:db8:1234::/64 to 2001:db8:6789::/48
block drop in quick on ovpns1 inet6 proto ipv6-icmp from 2001:db8:1234::/64 to 2001:db8:9999::/56
pass out quick on ovpns1 inet6 proto udp from 2001:db8::4444 to 2001:db8::7777 port 3109 >< 5001 no state
pass out quick on ovpns1 inet6 proto tcp from any to 2001:db8::7777 port > 333 no state

Created IPsec Mobile (XAuth) rules:

# pfctl -a ipsec/radiususer1 -sr
pass in quick on enc0 inet proto udp from 3.3.3.3 to 7.7.7.7 port < 566 no state
pass in quick on enc0 inet proto udp from 3.3.3.3 to 7.7.7.7 port != 899 no state
pass in quick on enc0 inet proto tcp from 2.2.2.2 to 5.5.5.5 port = garcon no state
pass in quick on enc0 inet proto icmp from 2.2.2.2 to 5.5.5.5 no state
pass in quick on enc0 inet6 proto udp from 2001:db8::3333 to 2001:db8::7777 port < 566 no state
pass in quick on enc0 inet6 proto udp from 2001:db8::3333 to 2001:db8::7777 port != 899 no state
pass in quick on enc0 inet6 proto tcp from 2001:db8::2222 to 2001:db8::5555 port = garcon no state
pass out quick on enc0 inet proto udp from 4.4.4.4 to 7.7.7.7 port 3109 >< 5001 no state
pass out quick on enc0 inet proto tcp from any to 7.7.7.7 port > 333 no state
block drop in quick on enc0 inet6 proto udp from 2001:db8:1234::/64 to 2001:db8:6789::/48
block drop in quick on enc0 inet6 proto ipv6-icmp from 2001:db8:1234::/64 to 2001:db8:9999::/56
pass out quick on enc0 inet6 proto udp from 2001:db8::4444 to 2001:db8::7777 port 3109 >< 5001 no state
pass out quick on enc0 inet6 proto tcp from any to 2001:db8::7777 port > 333 no state

Actions

Also available in: Atom PDF