Project

General

Profile

Bug #10532

Mobile PSK users don't have 'mobile-userpool' section

Added by Viktor Gurov 2 months ago. Updated 16 days ago.

Status:
Pull Request Review
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
05/06/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:

Description

I don't see the 'mobile-userpool' section for PSK users, only for EAP:

# This file is automatically generated. Do not edit
connections {
    bypass {
        remote_addrs = 127.0.0.1
        children {
            bypass {
                local_ts = 192.168.3.0/24,fc00:5555::/64
                remote_ts = 192.168.3.0/24,fc00:5555::/64
                mode = pass
                start_action = trap
            }
        }
    }
    con-mobile : con-mobile-defaults {
        # Stub to load con-mobile-defaults
    }
    con-mobile-userpool-1 : con-mobile-defaults {
        remote {
            id = userfqdn:test1
            eap_id = %any
        }
        pools = mobile-userpool-1
    }
}
...
pools {
    mobile-pool-v4 : mobile-pool {
        addrs = 10.33.33.0/24
    }
    mobile-pool-v6 : mobile-pool {
        addrs = fc00:3434::/64
    }
    mobile-userpool-1 : mobile-pool {
        addrs = 10.11.11.1/32
    }
}
secrets {
    private-0 {
        file = /var/etc/ipsec/private/cert-1.key
    }
    eap-1 {
        secret = 0sMTIz
        id-0 = test1
    }
    ike-2 {
        secret = 0sMTIz
        id-0 = test2
    }
}

I set the 10.12.12.1/32 pool for the user test2 in WebGUI, but can't see it in swanctl.conf

History

#1 Updated by Viktor Gurov 2 months ago

some on 2.4.5

/var/etc/ipsec/ipsec.conf:
...
conn mobile-1
    also = con-mobile
    eap_identity = %identity
    rightsourceip = 10.22.22.22/32
    rightid = userfqdn:testeap

/var/etc/ipsec/ipsec.secrets:
 test1 : PSK 0sMTIz
 testeap : EAP 0sMTIz

#2 Updated by Jim Pingle 2 months ago

It may be as easy as removing the EAP check at source:src/etc/inc/ipsec.inc#L1596 -- but non-EAP users were also excluded before we migrated to swanctl.conf style syntax, so it needs testing before committing that change. Looks like they were excluded all the way back to when per-user settings like that were introduced.

It might be that non-EAP users won't work with certain settings, or it may just be that they haven't been tested/checked and it works fine. It's also possible it was an ipsec.conf config limitation and now that we're on swanctl.conf it doesn't matter.

#3 Updated by Viktor Gurov 17 days ago

Jim Pingle wrote:

It may be as easy as removing the EAP check at source:src/etc/inc/ipsec.inc#L1596 -- but non-EAP users were also excluded before we migrated to swanctl.conf style syntax, so it needs testing before committing that change. Looks like they were excluded all the way back to when per-user settings like that were introduced.

It might be that non-EAP users won't work with certain settings, or it may just be that they haven't been tested/checked and it works fine. It's also possible it was an ipsec.conf config limitation and now that we're on swanctl.conf it doesn't matter.

This is correct because IPsec Mobile PSK client can't provide ID.

It's better to hide fields not supported by PSK:
https://github.com/pfsense/pfsense/pull/4369

#4 Updated by Jim Pingle 16 days ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.0

Also available in: Atom PDF