Project

General

Profile

Bug #8765

Per-user firewall rules for IPsec do not work

Added by Jim Pingle 12 months ago. Updated 10 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
08/07/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

The IPsec attribute code which processes firewall rules passed back through authentication is missing spaces, causing it to form invalid rules.

Fixed by PR https://github.com/pfsense/pfsense/pull/3942 which was merged a while ago

History

#1 Updated by Jim Pingle 10 months ago

  • Status changed from Feedback to Resolved
  • Assignee set to Jim Pingle

Looks good.

Added this to RADIUS user reply attributes:

Cisco-AVPair = "ip:inacl#1=permit tcp any any",
Cisco-AVPair += "ip:outacl#1=permit tcp any any" 

Connected to an xauth mobile VPN (rules won't work with EAP, different auth mechanism in strongSwan).

Rules file looks OK:

: cat ipsec_86068river.rules 
pass in quick on enc0 proto tcp from any to any no state
pass out quick on enc0 proto tcp from any to any no state

pf loaded the rules OK:

: pfSsh.php playback pfanchordrill
[...]
ipsec rules/nat contents:

ipsec/river rules/nat contents:
pass in quick on enc0 proto tcp all no state
pass out quick on enc0 proto tcp all no state
[...]

Also available in: Atom PDF