Project

General

Profile

Actions

Feature #8292

closed

IPsec mobile clients with different (virtual) IP addresses by (EAP) identity

Added by Christian R. about 6 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
01/23/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

Extending the mobile clients with IP's on a per user basis / EAP identity. This enables managing different users with different Firewall rules (assigning user to a specific network).
This is very helpful on small environments without having a certificate management and the need to roll it out to every device.

changes could also targeting different encryptions settings by user.

details in forum post https://forum.pfsense.org/index.php?topic=142560.0
for now I don't have an idea, where to start the modification in the WebUI. In the "Pre-Shared Keys"-section?


Files

var-etc-ipsec-strongswan.conf (1.15 KB) var-etc-ipsec-strongswan.conf var/etc/ipsec/strongswan.conf Anonymous, 07/06/2018 11:06 AM
06-07-2018_12_14_34.png (58.4 KB) 06-07-2018_12_14_34.png Anonymous, 07/06/2018 11:16 AM
Actions #2

Updated by Jim Pingle almost 6 years ago

  • Target version set to 2.4.4

Original PR was merged. There is a follow-up PR to address issues at https://github.com/pfsense/pfsense/pull/3949

Actions #3

Updated by Jim Pingle almost 6 years ago

  • Status changed from New to Feedback

PR was merged yesterday.

Actions #4

Updated by Anonymous over 5 years ago

On 2.4.4.a.20180705.0032 the options appear. Tested specifying a different DNS server, saved and applied changes, stopped and started the IPsec service, reconnected the Mobile IPsec slient and it was still having the DNS server defined at VPN > IPsec > Mobile Clients pushed rather than the DNS server manually specified at VPN > IPsec > Pre-Shared Keys > Edit.

Actions #5

Updated by Jim Pingle over 5 years ago

  • Status changed from Feedback to New
Actions #6

Updated by Christian R. over 5 years ago

James Dekker wrote:

On 2.4.4.a.20180705.0032 the options appear. Tested specifying a different DNS server, saved and applied changes, stopped and started the IPsec service, reconnected the Mobile IPsec slient and it was still having the DNS server defined at VPN > IPsec > Mobile Clients pushed rather than the DNS server manually specified at VPN > IPsec > Pre-Shared Keys > Edit.

Can you please post your /var/etc/ipsec/ipsec.conf?
Those user specific entries are just extending the "default" phase1. The DNS of VPN > IPsec > Mobile Clients seems to be defined in /var/etc/ipsec/strongswan.conf which gets not overwritten by ipsec.conf.

strongswan wiki:
Since 5.0.1 connection-specific DNS servers may also be assigned with the rightdns option in ipsec.conf.

Perhaps the current behaviour should be changed to write DNS as rightdns into ipsec.conf instead of strongswan.conf (plugin attr)?

Actions #7

Updated by Anonymous over 5 years ago

Christian R. wrote:

James Dekker wrote:

On 2.4.4.a.20180705.0032 the options appear. Tested specifying a different DNS server, saved and applied changes, stopped and started the IPsec service, reconnected the Mobile IPsec slient and it was still having the DNS server defined at VPN > IPsec > Mobile Clients pushed rather than the DNS server manually specified at VPN > IPsec > Pre-Shared Keys > Edit.

Can you please post your /var/etc/ipsec/ipsec.conf?
Those user specific entries are just extending the "default" phase1. The DNS of VPN > IPsec > Mobile Clients seems to be defined in /var/etc/ipsec/strongswan.conf which gets not overwritten by ipsec.conf.

strongswan wiki:
Since 5.0.1 connection-specific DNS servers may also be assigned with the rightdns option in ipsec.conf.

Perhaps the current behaviour should be changed to write DNS as rightdns into ipsec.conf instead of strongswan.conf (plugin attr)?

The /var/etc/ipsec/strongswan.conf file is attached along with a screenshot of the configuration on VPN > IPsec > Pre-Shared Keys

The Virtual Address Pool specified on the PSK page does take effect and the Mobile IPsec client receives an address from that pool, rather than the one defined on VPN > IPsec > Mobile Clients.

However, on further inspection it does look like the DNS server on the PSK page is being installed. Unfortunately, the DNS server from the Mobile Clients page is being installed first so queries hit it and not the DNS server defined on the PSK page.

Below is a snippet of the strongswan client log

Jul  6 12:17:42 08[IKE] installing DNS server 192.168.10.1
Jul  6 12:17:42 08[CFG] handling UNITY_BANNER attribute failed
Jul  6 12:17:42 08[IKE] installing DNS server 208.67.222.222
Jul  6 12:17:42 08[IKE] installing new virtual IP 10.4.254.1

With the Virtual Address Pool working as expected and DNS server being the problem child now, it may be better to split the ticket off to handle the DNS server issue separately.

Actions #8

Updated by Christian R. over 5 years ago

James Dekker wrote:

With the Virtual Address Pool working as expected and DNS server being the problem child now, it may be better to split the ticket off to handle the DNS server issue separately.

You are right. If the DNS from VPN > IPsec > Mobile Clients would (only) be used as rightdns in ipsec.conf, the DNS in VPN > IPsec > Pre-Shared Keys will work as expected.

Actions #9

Updated by Christian R. over 5 years ago

Have found one more in the strongswan wiki [[https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp]]

DNS servers
DNS servers and other attributes can be assigned by plugins (e.g. the attr plugin) or since 5.0.1 directly in ipsec.conf by use of the rightdns option. In swanctl.conf each pool in the pools section may define a list of attributes to assign to clients.

This should be the way to go?
If I have a little free time the next days, I will have a look at the source.

Actions #11

Updated by Jim Pingle over 5 years ago

This specific feature (Virtual IP addresses by EAP ID) appears to be working. Remaining issue with DNS was split off to #8644, so closing this one out.

Actions #12

Updated by Jim Pingle over 5 years ago

  • Status changed from New to Resolved
Actions

Also available in: Atom PDF