Project

General

Profile

Bug #10532

Mobile PSK users don't have 'mobile-userpool' section

Added by Viktor Gurov 6 months ago. Updated 14 days ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
05/06/2020
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:

Description

I don't see the 'mobile-userpool' section for PSK users, only for EAP:

# This file is automatically generated. Do not edit
connections {
    bypass {
        remote_addrs = 127.0.0.1
        children {
            bypass {
                local_ts = 192.168.3.0/24,fc00:5555::/64
                remote_ts = 192.168.3.0/24,fc00:5555::/64
                mode = pass
                start_action = trap
            }
        }
    }
    con-mobile : con-mobile-defaults {
        # Stub to load con-mobile-defaults
    }
    con-mobile-userpool-1 : con-mobile-defaults {
        remote {
            id = userfqdn:test1
            eap_id = %any
        }
        pools = mobile-userpool-1
    }
}
...
pools {
    mobile-pool-v4 : mobile-pool {
        addrs = 10.33.33.0/24
    }
    mobile-pool-v6 : mobile-pool {
        addrs = fc00:3434::/64
    }
    mobile-userpool-1 : mobile-pool {
        addrs = 10.11.11.1/32
    }
}
secrets {
    private-0 {
        file = /var/etc/ipsec/private/cert-1.key
    }
    eap-1 {
        secret = 0sMTIz
        id-0 = test1
    }
    ike-2 {
        secret = 0sMTIz
        id-0 = test2
    }
}

I set the 10.12.12.1/32 pool for the user test2 in WebGUI, but can't see it in swanctl.conf

Associated revisions

Revision b862ffc5 (diff)
Added by Viktor Gurov about 1 month ago

Hide IPsec Pre-Shared Keys non-psk fields. Issue #10532

History

#1 Updated by Viktor Gurov 6 months ago

some on 2.4.5

/var/etc/ipsec/ipsec.conf:
...
conn mobile-1
    also = con-mobile
    eap_identity = %identity
    rightsourceip = 10.22.22.22/32
    rightid = userfqdn:testeap

/var/etc/ipsec/ipsec.secrets:
 test1 : PSK 0sMTIz
 testeap : EAP 0sMTIz

#2 Updated by Jim Pingle 6 months ago

It may be as easy as removing the EAP check at source:src/etc/inc/ipsec.inc#L1596 -- but non-EAP users were also excluded before we migrated to swanctl.conf style syntax, so it needs testing before committing that change. Looks like they were excluded all the way back to when per-user settings like that were introduced.

It might be that non-EAP users won't work with certain settings, or it may just be that they haven't been tested/checked and it works fine. It's also possible it was an ipsec.conf config limitation and now that we're on swanctl.conf it doesn't matter.

#3 Updated by Viktor Gurov 4 months ago

Jim Pingle wrote:

It may be as easy as removing the EAP check at source:src/etc/inc/ipsec.inc#L1596 -- but non-EAP users were also excluded before we migrated to swanctl.conf style syntax, so it needs testing before committing that change. Looks like they were excluded all the way back to when per-user settings like that were introduced.

It might be that non-EAP users won't work with certain settings, or it may just be that they haven't been tested/checked and it works fine. It's also possible it was an ipsec.conf config limitation and now that we're on swanctl.conf it doesn't matter.

This is correct because IPsec Mobile PSK client can't provide ID.

It's better to hide fields not supported by PSK:
https://github.com/pfsense/pfsense/pull/4369

#4 Updated by Jim Pingle 4 months ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.0

#5 Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#6 Updated by Danilo Zrenjanin 14 days ago

  • Status changed from Feedback to Resolved

Tested on:

2.5.0-DEVELOPMENT (amd64)
built on Sat Oct 10 01:03:57 EDT 2020
FreeBSD 12.2-STABLE

Virtual Address Pool, Identifier type and DNS Server fields are hidden once the PSK secret type is selected.

Ticket resolved.

Also available in: Atom PDF