Feature #8292: IPsec mobile clients with different (virtual) IP addresses by (EAP) identity - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Feature #8292

closed

IPsec mobile clients with different (virtual) IP addresses by (EAP) identity

Added by Christian R. almost 7 years ago. Updated over 6 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

IPsec

Target version:

2.4.4

Start date:

01/23/2018

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Description

Extending the mobile clients with IP's on a per user basis / EAP identity. This enables managing different users with different Firewall rules (assigning user to a specific network).
This is very helpful on small environments without having a certificate management and the need to roll it out to every device.

changes could also targeting different encryptions settings by user.

details in forum post https://forum.pfsense.org/index.php?topic=142560.0
for now I don't have an idea, where to start the modification in the WebUI. In the "Pre-Shared Keys"-section?

Files

Download all files

var-etc-ipsec-strongswan.conf (1.15 KB) var-etc-ipsec-strongswan.conf	var/etc/ipsec/strongswan.conf	Anonymous, 07/06/2018 11:06 AM
06-07-2018_12_14_34.png (58.4 KB) 06-07-2018_12_14_34.png		Anonymous, 07/06/2018 11:16 AM

History
Notes
Property changes

Actions

Copy link

Updated by Christian R. almost 7 years ago

pull request on github: https://github.com/pfsense/pfsense/pull/3904

Actions

Copy link

Updated by Jim Pingle over 6 years ago

Target version set to 2.4.4

Original PR was merged. There is a follow-up PR to address issues at https://github.com/pfsense/pfsense/pull/3949

Actions

Copy link

Updated by Jim Pingle over 6 years ago

Status changed from New to Feedback

PR was merged yesterday.

Actions

Copy link

Updated by Anonymous over 6 years ago

On 2.4.4.a.20180705.0032 the options appear. Tested specifying a different DNS server, saved and applied changes, stopped and started the IPsec service, reconnected the Mobile IPsec slient and it was still having the DNS server defined at VPN > IPsec > Mobile Clients pushed rather than the DNS server manually specified at VPN > IPsec > Pre-Shared Keys > Edit.

Actions

Copy link

Updated by Jim Pingle over 6 years ago

Status changed from Feedback to New

Actions

Copy link

Updated by Christian R. over 6 years ago

James Dekker wrote:

On 2.4.4.a.20180705.0032 the options appear. Tested specifying a different DNS server, saved and applied changes, stopped and started the IPsec service, reconnected the Mobile IPsec slient and it was still having the DNS server defined at VPN > IPsec > Mobile Clients pushed rather than the DNS server manually specified at VPN > IPsec > Pre-Shared Keys > Edit.

Can you please post your /var/etc/ipsec/ipsec.conf?
Those user specific entries are just extending the "default" phase1. The DNS of VPN > IPsec > Mobile Clients seems to be defined in /var/etc/ipsec/strongswan.conf which gets not overwritten by ipsec.conf.

strongswan wiki:
Since 5.0.1 connection-specific DNS servers may also be assigned with the rightdns option in ipsec.conf.

Perhaps the current behaviour should be changed to write DNS as rightdns into ipsec.conf instead of strongswan.conf (plugin attr)?

Actions

Copy link

Updated by Anonymous over 6 years ago

File var-etc-ipsec-strongswan.conf var-etc-ipsec-strongswan.conf added
File 06-07-2018_12_14_34.png 06-07-2018_12_14_34.png added

Christian R. wrote:

James Dekker wrote:

On 2.4.4.a.20180705.0032 the options appear. Tested specifying a different DNS server, saved and applied changes, stopped and started the IPsec service, reconnected the Mobile IPsec slient and it was still having the DNS server defined at VPN > IPsec > Mobile Clients pushed rather than the DNS server manually specified at VPN > IPsec > Pre-Shared Keys > Edit.

Can you please post your /var/etc/ipsec/ipsec.conf?
Those user specific entries are just extending the "default" phase1. The DNS of VPN > IPsec > Mobile Clients seems to be defined in /var/etc/ipsec/strongswan.conf which gets not overwritten by ipsec.conf.

strongswan wiki:
Since 5.0.1 connection-specific DNS servers may also be assigned with the rightdns option in ipsec.conf.

Perhaps the current behaviour should be changed to write DNS as rightdns into ipsec.conf instead of strongswan.conf (plugin attr)?

The /var/etc/ipsec/strongswan.conf file is attached along with a screenshot of the configuration on VPN > IPsec > Pre-Shared Keys

The Virtual Address Pool specified on the PSK page does take effect and the Mobile IPsec client receives an address from that pool, rather than the one defined on VPN > IPsec > Mobile Clients.

However, on further inspection it does look like the DNS server on the PSK page is being installed. Unfortunately, the DNS server from the Mobile Clients page is being installed first so queries hit it and not the DNS server defined on the PSK page.

Below is a snippet of the strongswan client log

Jul  6 12:17:42 08[IKE] installing DNS server 192.168.10.1
Jul  6 12:17:42 08[CFG] handling UNITY_BANNER attribute failed
Jul  6 12:17:42 08[IKE] installing DNS server 208.67.222.222
Jul  6 12:17:42 08[IKE] installing new virtual IP 10.4.254.1

With the Virtual Address Pool working as expected and DNS server being the problem child now, it may be better to split the ticket off to handle the DNS server issue separately.

Actions

Copy link

Updated by Christian R. over 6 years ago

James Dekker wrote:

With the Virtual Address Pool working as expected and DNS server being the problem child now, it may be better to split the ticket off to handle the DNS server issue separately.

You are right. If the DNS from VPN > IPsec > Mobile Clients would (only) be used as rightdns in ipsec.conf, the DNS in VPN > IPsec > Pre-Shared Keys will work as expected.

Actions

Copy link

Updated by Christian R. over 6 years ago

Have found one more in the strongswan wiki [[https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp]]

DNS servers
DNS servers and other attributes can be assigned by plugins (e.g. the attr plugin) or since 5.0.1 directly in ipsec.conf by use of the rightdns option. In swanctl.conf each pool in the pools section may define a list of attributes to assign to clients.

This should be the way to go?
If I have a little free time the next days, I will have a look at the source.

Actions

Copy link

#10

Updated by Christian R. over 6 years ago

moved to #8644

github: https://github.com/pfsense/pfsense/pull/3965

Actions

Copy link

#11

Updated by Jim Pingle over 6 years ago

This specific feature (Virtual IP addresses by EAP ID) appears to be working. Remaining issue with DNS was split off to #8644, so closing this one out.

Actions

Copy link

#12

Updated by Jim Pingle over 6 years ago

Status changed from New to Resolved

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Feature #8292

IPsec mobile clients with different (virtual) IP addresses by (EAP) identity

Updated by Christian R. almost 7 years ago

Updated by Jim Pingle over 6 years ago

Updated by Jim Pingle over 6 years ago

Updated by Anonymous over 6 years ago

Updated by Jim Pingle over 6 years ago

Updated by Christian R. over 6 years ago

Updated by Anonymous over 6 years ago

Updated by Christian R. over 6 years ago

Updated by Christian R. over 6 years ago

Updated by Christian R. over 6 years ago

Updated by Jim Pingle over 6 years ago

Updated by Jim Pingle over 6 years ago