Project

General

Profile

Actions

Bug #10532

closed

Mobile PSK users don't have 'mobile-userpool' section

Added by Viktor Gurov over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
05/06/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.0
Affected Architecture:

Description

I don't see the 'mobile-userpool' section for PSK users, only for EAP:

# This file is automatically generated. Do not edit
connections {
    bypass {
        remote_addrs = 127.0.0.1
        children {
            bypass {
                local_ts = 192.168.3.0/24,fc00:5555::/64
                remote_ts = 192.168.3.0/24,fc00:5555::/64
                mode = pass
                start_action = trap
            }
        }
    }
    con-mobile : con-mobile-defaults {
        # Stub to load con-mobile-defaults
    }
    con-mobile-userpool-1 : con-mobile-defaults {
        remote {
            id = userfqdn:test1
            eap_id = %any
        }
        pools = mobile-userpool-1
    }
}
...
pools {
    mobile-pool-v4 : mobile-pool {
        addrs = 10.33.33.0/24
    }
    mobile-pool-v6 : mobile-pool {
        addrs = fc00:3434::/64
    }
    mobile-userpool-1 : mobile-pool {
        addrs = 10.11.11.1/32
    }
}
secrets {
    private-0 {
        file = /var/etc/ipsec/private/cert-1.key
    }
    eap-1 {
        secret = 0sMTIz
        id-0 = test1
    }
    ike-2 {
        secret = 0sMTIz
        id-0 = test2
    }
}

I set the 10.12.12.1/32 pool for the user test2 in WebGUI, but can't see it in swanctl.conf

Actions #1

Updated by Viktor Gurov over 4 years ago

some on 2.4.5

/var/etc/ipsec/ipsec.conf:
...
conn mobile-1
    also = con-mobile
    eap_identity = %identity
    rightsourceip = 10.22.22.22/32
    rightid = userfqdn:testeap

/var/etc/ipsec/ipsec.secrets:
 test1 : PSK 0sMTIz
 testeap : EAP 0sMTIz

Actions #2

Updated by Jim Pingle over 4 years ago

It may be as easy as removing the EAP check at source:src/etc/inc/ipsec.inc#L1596 -- but non-EAP users were also excluded before we migrated to swanctl.conf style syntax, so it needs testing before committing that change. Looks like they were excluded all the way back to when per-user settings like that were introduced.

It might be that non-EAP users won't work with certain settings, or it may just be that they haven't been tested/checked and it works fine. It's also possible it was an ipsec.conf config limitation and now that we're on swanctl.conf it doesn't matter.

Actions #3

Updated by Viktor Gurov over 4 years ago

Jim Pingle wrote:

It may be as easy as removing the EAP check at source:src/etc/inc/ipsec.inc#L1596 -- but non-EAP users were also excluded before we migrated to swanctl.conf style syntax, so it needs testing before committing that change. Looks like they were excluded all the way back to when per-user settings like that were introduced.

It might be that non-EAP users won't work with certain settings, or it may just be that they haven't been tested/checked and it works fine. It's also possible it was an ipsec.conf config limitation and now that we're on swanctl.conf it doesn't matter.

This is correct because IPsec Mobile PSK client can't provide ID.

It's better to hide fields not supported by PSK:
https://github.com/pfsense/pfsense/pull/4369

Actions #4

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.0
Actions #5

Updated by Renato Botelho over 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #6

Updated by Danilo Zrenjanin about 4 years ago

  • Status changed from Feedback to Resolved

Tested on:

2.5.0-DEVELOPMENT (amd64)
built on Sat Oct 10 01:03:57 EDT 2020
FreeBSD 12.2-STABLE

Virtual Address Pool, Identifier type and DNS Server fields are hidden once the PSK secret type is selected.

Ticket resolved.

Actions

Also available in: Atom PDF