Bug #10532
closed
Mobile PSK users don't have 'mobile-userpool' section
100%
Description
I don't see the 'mobile-userpool' section for PSK users, only for EAP:
# This file is automatically generated. Do not edit
connections {
bypass {
remote_addrs = 127.0.0.1
children {
bypass {
local_ts = 192.168.3.0/24,fc00:5555::/64
remote_ts = 192.168.3.0/24,fc00:5555::/64
mode = pass
start_action = trap
}
}
}
con-mobile : con-mobile-defaults {
# Stub to load con-mobile-defaults
}
con-mobile-userpool-1 : con-mobile-defaults {
remote {
id = userfqdn:test1
eap_id = %any
}
pools = mobile-userpool-1
}
}
...
pools {
mobile-pool-v4 : mobile-pool {
addrs = 10.33.33.0/24
}
mobile-pool-v6 : mobile-pool {
addrs = fc00:3434::/64
}
mobile-userpool-1 : mobile-pool {
addrs = 10.11.11.1/32
}
}
secrets {
private-0 {
file = /var/etc/ipsec/private/cert-1.key
}
eap-1 {
secret = 0sMTIz
id-0 = test1
}
ike-2 {
secret = 0sMTIz
id-0 = test2
}
}
I set the 10.12.12.1/32 pool for the user test2 in WebGUI, but can't see it in swanctl.conf
Updated by Viktor Gurov almost 4 years ago
some on 2.4.5
/var/etc/ipsec/ipsec.conf:
...
conn mobile-1
also = con-mobile
eap_identity = %identity
rightsourceip = 10.22.22.22/32
rightid = userfqdn:testeap
/var/etc/ipsec/ipsec.secrets:
test1 : PSK 0sMTIz
testeap : EAP 0sMTIz
Updated by Jim Pingle almost 4 years ago
It may be as easy as removing the EAP check at source:src/etc/inc/ipsec.inc#L1596 -- but non-EAP users were also excluded before we migrated to swanctl.conf style syntax, so it needs testing before committing that change. Looks like they were excluded all the way back to when per-user settings like that were introduced.
It might be that non-EAP users won't work with certain settings, or it may just be that they haven't been tested/checked and it works fine. It's also possible it was an ipsec.conf config limitation and now that we're on swanctl.conf it doesn't matter.
Updated by Viktor Gurov almost 4 years ago
Jim Pingle wrote:
It may be as easy as removing the EAP check at source:src/etc/inc/ipsec.inc#L1596 -- but non-EAP users were also excluded before we migrated to swanctl.conf style syntax, so it needs testing before committing that change. Looks like they were excluded all the way back to when per-user settings like that were introduced.
It might be that non-EAP users won't work with certain settings, or it may just be that they haven't been tested/checked and it works fine. It's also possible it was an ipsec.conf config limitation and now that we're on swanctl.conf it doesn't matter.
This is correct because IPsec Mobile PSK client can't provide ID.
It's better to hide fields not supported by PSK:
https://github.com/pfsense/pfsense/pull/4369
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.5.0
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Danilo Zrenjanin over 3 years ago
- Status changed from Feedback to Resolved
Tested on:
2.5.0-DEVELOPMENT (amd64) built on Sat Oct 10 01:03:57 EDT 2020 FreeBSD 12.2-STABLE
Virtual Address Pool, Identifier type and DNS Server fields are hidden once the PSK secret type is selected.
Ticket resolved.