Per-user firewall rules for IPsec do not work
The IPsec attribute code which processes firewall rules passed back through authentication is missing spaces, causing it to form invalid rules.
Fixed by PR https://github.com/pfsense/pfsense/pull/3942 which was merged a while ago
Updated by Jim Pingle about 5 years ago
- Status changed from Feedback to Resolved
- Assignee set to Jim Pingle
Added this to RADIUS user reply attributes:
Cisco-AVPair = "ip:inacl#1=permit tcp any any", Cisco-AVPair += "ip:outacl#1=permit tcp any any"
Connected to an xauth mobile VPN (rules won't work with EAP, different auth mechanism in strongSwan).
Rules file looks OK:
: cat ipsec_86068river.rules pass in quick on enc0 proto tcp from any to any no state pass out quick on enc0 proto tcp from any to any no state
pf loaded the rules OK:
: pfSsh.php playback pfanchordrill [...] ipsec rules/nat contents: ipsec/river rules/nat contents: pass in quick on enc0 proto tcp all no state pass out quick on enc0 proto tcp all no state [...]