Project

General

Profile

Actions

Regression #11447

open

EAP-RADIUS Mobile IPsec clients with RADIUS-assigned addresses do not get additional configuration attributes

Added by Jim Pingle 8 months ago. Updated 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
02/18/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.09
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:

Description

When using IKEv2 EAP-RADIUS mobile IPsec and assigning client addresses from RADIUS, the pools configuration is omitted from swanctl.conf.

The pools and mobile-pool blocks are omitted since there are no addresses known for clients. The RADIUS config is in strongswan.conf

May still need to still define the pools without addresses (if possible) or find other compatible syntax.


Related issues

Related to Bug #11891: strongSwan configuration contains incorrect structure for mobile pool DNS recordsFeedbackJim Pingle05/05/2021

Actions
Actions #1

Updated by Jim Pingle 8 months ago

  • Assignee set to Jim Pingle

As a workaround, define a pool network. Clients will still pull their assigned addresses from RADIUS and the other settings will be populated in the configuration and make it to clients.

Actions #3

Updated by Jim Pingle 8 months ago

  • Status changed from New to Pull Request Review
Actions #4

Updated by Renato Botelho 8 months ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions #5

Updated by Jim Pingle 7 months ago

  • Status changed from Feedback to Waiting on Merge
  • Target version changed from CE-Next to 2.5.1
Actions #6

Updated by Renato Botelho 7 months ago

  • Status changed from Waiting on Merge to Feedback

Cherry-picked to RELENG_2_5_1

Actions #7

Updated by Jim Pingle 7 months ago

To test:

  • Setup mobile IPsec using IKEv2 and EAP-RADIUS against a RADIUS server
  • Leave the Virtual Address Pool empty so that clients pull addresses from RADIUS
  • Fill in DNS server information
  • Check the generated swanctl.conf for the configured DNS servers and they will be missing

On a snapshot with the fix, the swanctl.conf file will contain the necessary pool configuration data.

Actions #8

Updated by Viktor Gurov 7 months ago

Jim Pingle wrote:

To test:

  • Setup mobile IPsec using IKEv2 and EAP-RADIUS against a RADIUS server
  • Leave the Virtual Address Pool empty so that clients pull addresses from RADIUS
  • Fill in DNS server information
  • Check the generated swanctl.conf for the configured DNS servers and they will be missing

On a snapshot with the fix, the swanctl.conf file will contain the necessary pool configuration data.

Still not working as expected.
It looks like we need to use strongswan.conf for this (pre-2.5 style).

Actions #9

Updated by Jim Pingle 7 months ago

  • Target version changed from 2.5.1 to CE-Next

If it needs that kind of more involved work then we can look at it deeper for the next release after this.

Actions #10

Updated by Jim Pingle 5 months ago

  • Target version changed from CE-Next to 2.6.0
Actions #11

Updated by Jim Pingle 5 months ago

  • Plus Target Version set to 21.05
Actions #12

Updated by Jim Pingle 5 months ago

Already in 21.05 branch.

Actions #13

Updated by Jim Pingle 5 months ago

  • Status changed from Feedback to New
  • Plus Target Version changed from 21.05 to 21.09

Reverted changes for now, they were causing the configuration to fail. Can try again before the next release.

Actions #14

Updated by Viktor Gurov 2 months ago

revert to pre-2.5 style (attr in strongswan.conf) which works fine:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/314

Actions #15

Updated by Jim Pingle 2 months ago

  • Status changed from New to Pull Request Review
Actions #16

Updated by Jim Pingle 2 months ago

  • Related to Bug #11891: strongSwan configuration contains incorrect structure for mobile pool DNS records added
Actions #17

Updated by Anonymous 2 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF