Project

General

Profile

Actions

Regression #12549

open

Per-user Mobile IPsec settings are not applied to connecting mobile clients

Added by Jim Pingle almost 3 years ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Plus-Next
Release Notes:
Force Inclusion
Affected Version:
2.5.x
Affected Architecture:

Description

Not sure when this regressed but it looks like the connection matching in strongSwan is different now than it used to be. Possible that it changed with swanctl.conf vs ipsec.conf changes.

The order right now is "con-mobile" and then the per-user connections underneath, which will never match the user settings since it matches con-mobile first. So con-mobile needs to move down below the per-user connection settings.

Second problem is the identifiers. First, the ID of connecting EAP-MSCHAPv2 clients is most often going to be their IP address and strongSwan matches the eap_id for EAP, not the IKEv2 ID. So for EAP-MSCHAPv2 at least, we can omit the ID. Second related problem is that in the place ipsec_setup_userpools() gets run, it attempts to access $ph1ent which doesn't exist yet. So that function needs to be passed a copy of the mobile P1 so it can check settings inside.

I have a patch to test, but it has an odd side effect. At least for Windows clients, they are prompted to re-enter credentials on each connection attempt because the first one is rejected. So there is likely some other setting that's not quite right yet. Thus I'm not merging it yet until more testing can be done.


Files

patch-12549.diff (3.49 KB) patch-12549.diff Jim Pingle, 11/30/2021 11:54 AM
image (4).png (102 KB) image (4).png Danilo Zrenjanin, 12/01/2021 06:53 AM
Actions

Also available in: Atom PDF