Project

General

Profile

Feature #8292

IPsec mobile clients with different (virtual) IP addresses by (EAP) identity

Added by Christian R. about 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
01/23/2018
Due date:
% Done:

0%

Estimated time:

Description

Extending the mobile clients with IP's on a per user basis / EAP identity. This enables managing different users with different Firewall rules (assigning user to a specific network).
This is very helpful on small environments without having a certificate management and the need to roll it out to every device.

changes could also targeting different encryptions settings by user.

details in forum post https://forum.pfsense.org/index.php?topic=142560.0
for now I don't have an idea, where to start the modification in the WebUI. In the "Pre-Shared Keys"-section?

var-etc-ipsec-strongswan.conf (1.15 KB) var-etc-ipsec-strongswan.conf var/etc/ipsec/strongswan.conf James Dekker, 07/06/2018 11:06 AM
06-07-2018_12_14_34.png (58.4 KB) 06-07-2018_12_14_34.png James Dekker, 07/06/2018 11:16 AM

History

#2 Updated by Jim Pingle over 1 year ago

  • Target version set to 2.4.4

Original PR was merged. There is a follow-up PR to address issues at https://github.com/pfsense/pfsense/pull/3949

#3 Updated by Jim Pingle over 1 year ago

  • Status changed from New to Feedback

PR was merged yesterday.

#4 Updated by James Dekker over 1 year ago

On 2.4.4.a.20180705.0032 the options appear. Tested specifying a different DNS server, saved and applied changes, stopped and started the IPsec service, reconnected the Mobile IPsec slient and it was still having the DNS server defined at VPN > IPsec > Mobile Clients pushed rather than the DNS server manually specified at VPN > IPsec > Pre-Shared Keys > Edit.

#5 Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to New

#6 Updated by Christian R. over 1 year ago

James Dekker wrote:

On 2.4.4.a.20180705.0032 the options appear. Tested specifying a different DNS server, saved and applied changes, stopped and started the IPsec service, reconnected the Mobile IPsec slient and it was still having the DNS server defined at VPN > IPsec > Mobile Clients pushed rather than the DNS server manually specified at VPN > IPsec > Pre-Shared Keys > Edit.

Can you please post your /var/etc/ipsec/ipsec.conf?
Those user specific entries are just extending the "default" phase1. The DNS of VPN > IPsec > Mobile Clients seems to be defined in /var/etc/ipsec/strongswan.conf which gets not overwritten by ipsec.conf.

strongswan wiki:
Since 5.0.1 connection-specific DNS servers may also be assigned with the rightdns option in ipsec.conf.

Perhaps the current behaviour should be changed to write DNS as rightdns into ipsec.conf instead of strongswan.conf (plugin attr)?

#7 Updated by James Dekker over 1 year ago

Christian R. wrote:

James Dekker wrote:

On 2.4.4.a.20180705.0032 the options appear. Tested specifying a different DNS server, saved and applied changes, stopped and started the IPsec service, reconnected the Mobile IPsec slient and it was still having the DNS server defined at VPN > IPsec > Mobile Clients pushed rather than the DNS server manually specified at VPN > IPsec > Pre-Shared Keys > Edit.

Can you please post your /var/etc/ipsec/ipsec.conf?
Those user specific entries are just extending the "default" phase1. The DNS of VPN > IPsec > Mobile Clients seems to be defined in /var/etc/ipsec/strongswan.conf which gets not overwritten by ipsec.conf.

strongswan wiki:
Since 5.0.1 connection-specific DNS servers may also be assigned with the rightdns option in ipsec.conf.

Perhaps the current behaviour should be changed to write DNS as rightdns into ipsec.conf instead of strongswan.conf (plugin attr)?

The /var/etc/ipsec/strongswan.conf file is attached along with a screenshot of the configuration on VPN > IPsec > Pre-Shared Keys

The Virtual Address Pool specified on the PSK page does take effect and the Mobile IPsec client receives an address from that pool, rather than the one defined on VPN > IPsec > Mobile Clients.

However, on further inspection it does look like the DNS server on the PSK page is being installed. Unfortunately, the DNS server from the Mobile Clients page is being installed first so queries hit it and not the DNS server defined on the PSK page.

Below is a snippet of the strongswan client log

Jul  6 12:17:42 08[IKE] installing DNS server 192.168.10.1
Jul  6 12:17:42 08[CFG] handling UNITY_BANNER attribute failed
Jul  6 12:17:42 08[IKE] installing DNS server 208.67.222.222
Jul  6 12:17:42 08[IKE] installing new virtual IP 10.4.254.1

With the Virtual Address Pool working as expected and DNS server being the problem child now, it may be better to split the ticket off to handle the DNS server issue separately.

#8 Updated by Christian R. over 1 year ago

James Dekker wrote:

With the Virtual Address Pool working as expected and DNS server being the problem child now, it may be better to split the ticket off to handle the DNS server issue separately.

You are right. If the DNS from VPN > IPsec > Mobile Clients would (only) be used as rightdns in ipsec.conf, the DNS in VPN > IPsec > Pre-Shared Keys will work as expected.

#9 Updated by Christian R. over 1 year ago

Have found one more in the strongswan wiki [[https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp]]

DNS servers
DNS servers and other attributes can be assigned by plugins (e.g. the attr plugin) or since 5.0.1 directly in ipsec.conf by use of the rightdns option. In swanctl.conf each pool in the pools section may define a list of attributes to assign to clients.

This should be the way to go?
If I have a little free time the next days, I will have a look at the source.

#11 Updated by Jim Pingle over 1 year ago

This specific feature (Virtual IP addresses by EAP ID) appears to be working. Remaining issue with DNS was split off to #8644, so closing this one out.

#12 Updated by Jim Pingle over 1 year ago

  • Status changed from New to Resolved

Also available in: Atom PDF