Project

General

Profile

Actions
Copy link

Bug #10517

closed

Mobile PSK user mobile-userpool is ignored

Added by Viktor Gurov about 4 years ago. Updated about 4 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
Jim Pingle
Category:
IPsec
Target version:
2.5.0
Start date:
05/01/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.0
Affected Architecture:

Description

regardless of what you entered in the "Virtual Address Pool" on the VPN / IPsec / Pre-Shared Keys / Edit page,
mobile clients will always receive an IP address from "Virtual Address Pool" of "Mobile Clients".

sample config:

# This file is automatically generated. Do not edit
connections {
    bypass {
        remote_addrs = 127.0.0.1
        children {
            bypass {
                local_ts = 192.168.3.0/24,fcaa:10:1:1::/64
                remote_ts = 192.168.3.0/24,fcaa:10:1:1::/64
                mode = pass
                start_action = trap
            }
        }
    }
    con-mobile : con-mobile-defaults {
        # Stub to load con-mobile-defaults
    }
    con-mobile-userpool-1 : con-mobile-defaults {
        remote {
            id = userfqdn:test1
            eap_id = %any
        }
        pools = mobile-userpool-1
    }
    con-mobile-userpool-2 : con-mobile-defaults {
        remote {
            id = userfqdn:test3
            eap_id = %any
        }
        pools = mobile-userpool-2
    }
}
con-mobile-defaults {
    fragmentation = yes
    unique = replace
    version = 2
    proposals = aes128-sha256-modp2048
    dpd_delay = 10s
    dpd_timeout = 60s
    reauth_time = 28800s
    rekey_time = 0s
    encap = no
    mobike = no
    local_addrs = 192.168.3.4
    remote_addrs = 0.0.0.0/0,::/0
    pools = mobile-pool-v4
    send_cert = always
    local {
        id = 192.168.3.4
        auth = pubkey
        cert {
            file = /var/etc/ipsec/x509/cert-1.crt
        }
    }
    remote {
        eap_id = %any
        auth = eap-mschapv2
    }
    children {
        con-mobile {
            dpd_action = clear
            mode = tunnel
            policies = yes
            life_time = 3600
            start_action = none
            local_ts = 172.16.16.0/30
            esp_proposals = aes128-sha256-modp2048,aes128gcm128-modp2048
        }
    }
}
pools {
    mobile-pool-v4 : mobile-pool {
        addrs = 10.33.33.0/24
    }
    mobile-userpool-1 : mobile-pool {
        addrs = 10.11.11.1/32
    }
    mobile-userpool-2 : mobile-pool {
        addrs = 10.34.34.5/24
    }
}
secrets {
    private-0 {
        file = /var/etc/ipsec/private/cert-1.key
    }
    eap-1 {
        secret = 0sMTIz
        id-0 = test1
    }
    ike-2 {
        secret = 0sMTIz
        id-0 = test2
    }
    eap-3 {
        secret = 0sMTIz
        id-0 = test3
    }
}

test1-3 users always get IP from 10.33.33.0/24

pfSense 2.5.0.a.20200430.1700

Actions
Copy link

Also available in: Atom PDF